11241100x80000000000000001545806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:54.812{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:54.812{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68751DC9A0C06132ED1152C15BA877E4,SHA256=8502BE19546AD449F89531F7244664BD0686E0C58DE4C33CA1EE486A6B833814falsefalse - insufficient disk space 11241100x80000000000000001545815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.899{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.899{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1141887441C88083F3CF7E143BE6970,SHA256=64ABC7BCF794755AA35BC5FDF59A1F0921E5EF4B582BF05039099644A4C51CAFfalsefalse - insufficient disk space 10341000x80000000000000001066903Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:55.915{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066902Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:55.915{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066901Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:55.181{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2740488F9C1F401C282499530C7794B1,SHA256=6ACF9E79450D23DBA701244B227AAE46DFBC78950C057FB3C5F92A09580679A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001545813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.478{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001545812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.478{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001545811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.477{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001545810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.078{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.077{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADA30DD99C9DD4845E4150EE997221DD,SHA256=3F52B862F2D4F4AC7CEFB6D2DF4DBD8625301008EAD8BE90C7D1AED275CD74F7falsefalse - insufficient disk space 11241100x80000000000000001545808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.077{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.077{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AECB43A722322AB027502A43EAEEFE59,SHA256=F420F2E9E77376CA8D2218A789FAEF2FD8ABC2E26DFF16CA83BB432D461648E7falsefalse - insufficient disk space 11241100x80000000000000001545818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:56.902{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:56.902{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C13DCADF581637D764BF073162C1A59,SHA256=654492CEB5E8E56D0679E1A1F4F918DF21D5443EB7F24DFE9DAE0CD60C47E365falsefalse - insufficient disk space 354300x80000000000000001545816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:53.627{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64978-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001066908Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:56.916{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066907Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:56.916{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066906Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:56.890{761B69BB-818C-607D-0D00-00000000BA01}9046912C:\Windows\system32\svchost.exe{761B69BB-63E3-6080-E95C-00000000BA01}6292C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066905Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:56.890{761B69BB-818C-607D-0D00-00000000BA01}9046912C:\Windows\system32\svchost.exe{761B69BB-63E3-6080-E95C-00000000BA01}6292C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066904Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:56.194{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9245DCD791698286AC1850B389DA888C,SHA256=D72F378DBEE9B476F4DF3D51316B2E909FAAF3628A9CC8B4A6EADA7A634AFFD2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:57.904{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:57.904{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704EFC2F42A9F656E1CB902C04746DE8,SHA256=895487410D1576B438ED2CE08E5B2A644C1E4F459AE1716C2EC4AED70682531Afalsefalse - insufficient disk space 10341000x80000000000000001066913Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:57.917{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066912Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:57.917{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066911Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:57.203{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32599F835EE0EB4E7D50B39A90C98E90,SHA256=FB10977C9C74C03E8DF353F765FE52E4F1F1979EC2239331AC7C16882DA7071D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001066910Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:57.151{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72329CF878234A66A5A419DDB48C9707,SHA256=4762C30FE876F6F963A25D1F76E5123C3F5F8608AFF074AF8E6AFDBE51DD7868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001066909Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:57.150{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D92BBCB35BC61DA88AA138E49A25370,SHA256=D86104F7A4F16F61E160F58EDF8E9DBF6ED213F5957AACDF89E752BEABF6F98E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:58.953{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:58.953{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F7917B88CB83F33383257A0F9F3AD6,SHA256=050CADFA89608C63656B6388375F27365B6C80C16F23C0437B870CBCDFB2FBB3falsefalse - insufficient disk space 10341000x80000000000000001066917Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:58.918{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066916Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:58.918{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001066915Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:52.813{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32478-false10.0.1.12-8000- 23542300x80000000000000001066914Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:58.211{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5062F08C2239F4F501233034A67298CD,SHA256=B9811437FC71CC4725BF2D80632E03ED30F1F0C1FCF782E22E5EFD1124871294,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:59.971{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:59.971{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F71CC3D27980055AEED1D06B756F4E5,SHA256=55090A0CBA8DF55383D3E3F4F30F251EBCC948AB3858039242A90A9E227F9EE9falsefalse - insufficient disk space 10341000x80000000000000001066920Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:59.918{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066919Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:59.918{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066918Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:59.216{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B70772BE4CA0D0420FB967E09781A5,SHA256=E2CCA4CBF4F82CF33343EC2FF0CBCB1366F8B3DC1BB4A56C60E489C95D88F576,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:00.973{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:00.973{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3BB3FDFE7294E2CFBFAC6A28D2035F,SHA256=559C39460DFE90F6510F19A82D8FCA9386B1EFE0C62B30142BF3759FCC5A9F0Cfalsefalse - insufficient disk space 10341000x80000000000000001066923Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:00.919{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066922Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:00.919{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066921Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:00.223{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DFEE0DAFF88D450905D9847561E119,SHA256=2331E1186F1F652642C509C3CDB809DE7CB82C2298E66D2F9FAD3EF62361B2C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:01.975{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:01.975{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA79857659C42DB1CD5135EF851D2522,SHA256=03F7A729DF64E98D08D65E54F57495F1CDB7126BFF19634FB2F15849B07F0BA7falsefalse - insufficient disk space 10341000x80000000000000001066926Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:01.920{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066925Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:01.920{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066924Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:01.230{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F808994FA88EAB60E365A5D74A30273C,SHA256=0BD1D3D04D23DB476CF0889E8EBC6362538A22A78B0F45205DAC5FB7D5DE44B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:01.211{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:01.211{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07FC860BB41C12A088825F6AB719B9EC,SHA256=325F73D9159C3316952999C9328A4AC85D21645423130EEE66C663DBE069AF90falsefalse - insufficient disk space 11241100x80000000000000001545828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:01.211{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:01.211{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADA30DD99C9DD4845E4150EE997221DD,SHA256=3F52B862F2D4F4AC7CEFB6D2DF4DBD8625301008EAD8BE90C7D1AED275CD74F7falsefalse - insufficient disk space 354300x80000000000000001545833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:59.663{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64979-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001066929Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:02.921{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066928Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:02.921{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066927Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:02.234{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB6F75CD535338DBABE4EA49D34B8BB,SHA256=A5CCE196156323F7D64B05D2FA019AF73368FA7168D8B08324EAEE3DBEC52F49,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:03.031{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:03.031{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205C844AE7F466E65F32AD8E624FEB58,SHA256=1B36985065FAF9CEBAE3DECA8D8409AFFE7E2BC9968CB04E2A45108584A9179Afalsefalse - insufficient disk space 10341000x80000000000000001066935Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:03.922{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066934Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:03.922{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066933Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:03.268{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D46AF350928ABE47A88D8E73F5036267,SHA256=73363D3AAE15D2DE3F703C158822DEF9571AF78233946CBEADF96B844B8C6220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001066932Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:03.267{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72329CF878234A66A5A419DDB48C9707,SHA256=4762C30FE876F6F963A25D1F76E5123C3F5F8608AFF074AF8E6AFDBE51DD7868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001066931Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:03.237{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F950945F76B0C826555ACFF1E2146DC,SHA256=6FF3A656014535C34B185943280493F0A45685A0001BC11F2D9A125C85C81374,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001066930Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:58.707{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32479-false10.0.1.12-8000- 10341000x80000000000000001066938Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:04.922{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066937Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:04.922{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066936Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:04.243{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB9136F430138809507B78FF62150399,SHA256=2BA341BEE3D4FE4B0E18FDABF342AAAB7EFC595B57570F0844980C6F923EE75E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:04.033{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:04.033{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5C3891425D00B342FA0C29A7DB31FB,SHA256=FDA800C6D4541B90F4DD9F1858E7A015E4A0FC1C4E95BCEDA88B575973B8FDE0falsefalse - insufficient disk space 10341000x80000000000000001066941Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:05.923{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066940Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:05.923{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066939Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:05.246{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21503FB8D92A7F7728F82F51DA84B27A,SHA256=7EF80D88B38EB53078B443111C41917998B53CE0DBF07EB5410EE4539E73939A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:05.067{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:05.067{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E948FDEE60C548CB33B8F8C6341851,SHA256=5F7D498A307F6A7ECB8D903049433037B983A0DE3261F8EDA0A885A0AA29D774falsefalse - insufficient disk space 10341000x80000000000000001066946Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:06.924{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066945Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:06.924{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066944Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:06.250{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7A76A188035E50F559E7CC337963BD,SHA256=4A84895606B3964B69C1C4C7CA13B155B49E731AABEB305BC408667448D9C99D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:06.085{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:06.085{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C44D4E1FD6567DC0FD2E79A2C8BBE61D,SHA256=2FA7FAD92C464CDA2646F495BBE20D703CE62B389BFB42F2D4BC72F5E30FF1ECfalsefalse - insufficient disk space 354300x80000000000000001066943Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:01.490{761B69BB-649E-6080-015D-00000000BA01}3716C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32480-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001066942Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:06.047{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D46AF350928ABE47A88D8E73F5036267,SHA256=73363D3AAE15D2DE3F703C158822DEF9571AF78233946CBEADF96B844B8C6220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001545866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.742{21761711-3770-607F-F339-00000000BB01}6452WIN-HOST-5\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RFb41a720.TMPMD5=FABC111312CD43093B0ECB217784AE61,SHA256=E4C54946B4732E720A02A0F783874B6D71E92ED837209F7EBDA4D14779023557falsefalse - insufficient disk space 11241100x80000000000000001545865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.742{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RFb41a720.TMP2021-04-21 17:48:07.742 254200x80000000000000001545864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.742{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\flby3lsk.tmp2021-04-20 20:22:02.3742021-04-21 17:48:07.742 11241100x80000000000000001545863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.742{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\flby3lsk.tmp2021-04-21 17:48:07.742 13241300x80000000000000001545862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000001545861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,7202269,17102418,41484365,39965824,7153487,17110988,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000001545860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000001545859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000001545858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000001545857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000001545856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000001545855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000001545854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000001545853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000001545852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000001545851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000001545850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000001545849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 11241100x80000000000000001545848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.226{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.226{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74438FA4E43C926AAD7C6AA193F72C46,SHA256=5778B78851A184EA8F8A3EEC5624DC402FD55A0D290495033C38ACAF6B7D8103falsefalse - insufficient disk space 11241100x80000000000000001545846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.226{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.226{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07FC860BB41C12A088825F6AB719B9EC,SHA256=325F73D9159C3316952999C9328A4AC85D21645423130EEE66C663DBE069AF90falsefalse - insufficient disk space 354300x80000000000000001545844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:05.655{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64980-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001545843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.088{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.088{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4D74FC629CCD14AB11B03F2C1FB596,SHA256=71BBF223E6E6151C55565984C838D9E9B0D5DAE6ED314A6A40079ABB83A935EFfalsefalse - insufficient disk space 10341000x80000000000000001066949Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:07.925{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066948Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:07.925{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066947Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:07.255{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD6CBF8C834B536EBAF4454E6ED6034,SHA256=30CFEBBDEBC592C915D1B203DE53E59D5A580BC0DA6EBE05690C6F7A3E669A70,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:08.112{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:08.112{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1708BD48F924EC3B3F5DEAC3CF6E8CB,SHA256=785C268A12CB937478469DD9ED5E22967C95D575B2CC1C2D7BBAC3DEE6240F88falsefalse - insufficient disk space 10341000x80000000000000001066961Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.926{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066960Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.926{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066959Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.267{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D43411B04C45465F7A7413ED1B0A7550,SHA256=2BB6A89AA7C69D28AA4B0E32C1639606F9EC151D91456AAB5DE40FAF769CD5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001066958Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.190{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAA97A6E96FD2152E27E58B4941A0479,SHA256=211E2BB3A858493CCC5E5D3BCEF2245F674AF5F823192F4B7638493F8113A8C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001066957Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.052{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6558-6080-185D-00000000BA01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066956Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.050{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066955Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.050{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066954Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.049{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066953Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.049{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066952Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.049{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-6558-6080-185D-00000000BA01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001066951Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.049{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6558-6080-185D-00000000BA01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001066950Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.048{761B69BB-6558-6080-185D-00000000BA01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001545870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:09.161{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:09.161{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FD6FEAD3702FDB02A3F52EA3427400,SHA256=E769871378DA4444C8A23CE498AC1351B1C46C4734E70CF1EC69B69D38C73E06falsefalse - insufficient disk space 10341000x80000000000000001066965Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:09.926{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066964Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:09.926{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066963Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:09.272{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA1A82D2629AEFAA4D75F8A6DD86411,SHA256=A73E4CD454D0955303B1512FE5A63DEA7F09F8825118D5912C590316A188024C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001066962Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:03.840{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32481-false10.0.1.12-8000- 11241100x80000000000000001545872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:10.316{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:10.316{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60609275C8B88FD24FF350FE038BF15,SHA256=E824C64EABECF3819F9E48D8B5073990D0D9DA7A24AFFD336A9A32E96080CC0Efalsefalse - insufficient disk space 10341000x80000000000000001066968Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:10.927{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066967Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:10.927{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066966Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:10.286{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E6F0F16A9E16D948466052854591ED,SHA256=EC820B483AFACA83C4EBF8A0C2B682D2C1E941F2C66768C840A2D18E8FD8CD26,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:11.366{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:11.366{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AB277FF5DE25C7C0D4A9C02BCAA615,SHA256=28E99DB3DB4D39AA90FD289D4A3408F5A8E3543EE247EFCCD65A606BC8E84B4Efalsefalse - insufficient disk space 10341000x80000000000000001066981Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.928{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066980Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.928{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066979Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.879{761B69BB-655B-6080-195D-00000000BA01}6864872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066978Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.745{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-655B-6080-195D-00000000BA01}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066977Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.743{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066976Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.743{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066975Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.743{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066974Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.742{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066973Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.742{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-655B-6080-195D-00000000BA01}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001066972Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.742{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-655B-6080-195D-00000000BA01}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001066971Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.741{761B69BB-655B-6080-195D-00000000BA01}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001066970Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.366{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8ECA19983C82107D581E1F68F4ADD88,SHA256=3DFF7097D5000E72EE5992D5B4C53FED0990C9E8114D6BAEC3CDBF0D3293C764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001066969Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.288{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72B54F54B0DC4ADDB9C0ADB3641F301,SHA256=CCB8E30CBDA74BEE4D8D3319EFD0E9FD048DA283E2707DDC30103F9FDFFDD4F9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:11.297{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-04-19 13:21:46.711 23542300x80000000000000001545873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:11.297{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B8CC46532F46F47EE32F75B90E1E5966,SHA256=BDF51C347B522E4C843792322F7252049DE5697C48D40748CA37DB6292B92D35falsefalse - insufficient disk space 10341000x80000000000000001066993Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.929{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066992Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.929{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066991Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.745{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=379CC40E4CD11EE1E73C2ECE176F38F4,SHA256=84D23E80365689B76A010E945B7A54767163A202E9A0783F712D89CAA1DDCE00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001066990Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.408{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-655C-6080-1A5D-00000000BA01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066989Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.406{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066988Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.406{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066987Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.406{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066986Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.406{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066985Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.406{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-655C-6080-1A5D-00000000BA01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001066984Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.406{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-655C-6080-1A5D-00000000BA01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001066983Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.405{761B69BB-655C-6080-1A5D-00000000BA01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001066982Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.297{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B40192EAFD0EE5054D978E33FC9509,SHA256=83ACDC9EFE3850EA56E7FBE7F0B4062BC106F126632555E534FE1D077EBDF21F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:12.369{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:12.369{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F006E3CAA5292D843BD67A11FF13755,SHA256=DA80967548B5C5465253E298F366FBB79DE7058F257D71173CD3C3EBDA07ED57falsefalse - insufficient disk space 11241100x80000000000000001545886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.402{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.402{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C37C5C09E1A6657F85F70D758E8A0A,SHA256=F5B52E822D4EE4A149AF827EDDDCF5E4AE955E57F3AEB485DA974A0F2A90E75Cfalsefalse - insufficient disk space 10341000x80000000000000001067005Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.929{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067004Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.929{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067003Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.307{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E533EBE190179A34F9DD5EBC702D153,SHA256=0FDF345E96F702A2A0C31F936BAC0613B57F5E4E1EB64DD763945503754812B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067002Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.205{761B69BB-655D-6080-1B5D-00000000BA01}59282496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067001Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.073{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-655D-6080-1B5D-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067000Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.071{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066999Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.071{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066998Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.071{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066997Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.070{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066996Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.070{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-655D-6080-1B5D-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001066995Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.070{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-655D-6080-1B5D-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001066994Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.069{761B69BB-655D-6080-1B5D-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001545884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.255{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.255{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E32CA4CD75EF85C4D08657AF066C9D69,SHA256=62657100E188480A69E47FFA6582E462C0080C16ED709B761C6BAC767225805Ffalsefalse - insufficient disk space 11241100x80000000000000001545882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.255{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.255{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74438FA4E43C926AAD7C6AA193F72C46,SHA256=5778B78851A184EA8F8A3EEC5624DC402FD55A0D290495033C38ACAF6B7D8103falsefalse - insufficient disk space 11241100x80000000000000001545880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.139{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000001545879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.139{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 354300x80000000000000001545890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:12.693{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64982-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000001545889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:11.691{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64981-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001545888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:14.423{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:14.423{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA7F1670D01BA3AF0B34D14AE8C22EE,SHA256=EA6C7B2F5025685F9B8B34073C41D23E94D27056C6AB430EFD168CA451C785BDfalsefalse - insufficient disk space 10341000x80000000000000001067009Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:14.930{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067008Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:14.930{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067007Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:14.310{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F789164364099ACD7CBE585B0E2AAE,SHA256=08D2A42E2C0ED3F4C27224114929CD89063C3D0E98C9A4ACEAE944CC789F7F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067006Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:14.076{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EAF184B119214700EE139C5D84C5867,SHA256=42759323988E251B7B385C6A6DA4A3DA5F6F4055FFA7718D254A10397263DBC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:15.445{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:15.445{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56380D90FF94CD367C5CF826A0D7C6E4,SHA256=3A00EA25F923C9FDE30CF63393C45D66F22CB80D5E39995123529C920EC89F89falsefalse - insufficient disk space 10341000x80000000000000001067014Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:15.930{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067013Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:15.930{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067012Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:15.339{761B69BB-818A-607D-0B00-00000000BA01}6324224C:\Windows\system32\lsass.exe{761B69BB-8188-607D-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001067011Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:15.316{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8038C640700887AA15B6962A025BFB,SHA256=F7998395DD1D5B19E58C674068D6B759F4645003C6C591407199149961F191CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001067010Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:09.739{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32482-false10.0.1.12-8000- 11241100x80000000000000001545894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:16.447{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:16.447{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E06F9B61322BB15EAC1D0C5E1461E9A,SHA256=FF37B4C9086B638CF0646990760821EB3B85A9860FEABF70D700A03343B0E99Dfalsefalse - insufficient disk space 10341000x80000000000000001067056Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.931{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067055Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.931{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067054Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067053Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067052Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067051Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067050Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067049Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067048Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067047Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067046Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067045Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067044Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067043Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067042Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067041Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067040Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067039Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067038Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067037Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067036Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067035Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067034Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067033Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067032Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067031Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067030Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067029Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067028Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067027Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067026Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067025Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067024Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067023Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067022Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067021Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067020Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067019Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067018Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067017Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.329{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E9A83391B1E982F1A64B085C9CD5B2,SHA256=4AA2DB7B2DA402DFE14289729C74CD914C10E779B01CEA94A0D9870CF02CF929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067016Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.282{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AC136306270C07EA53242178F3EED66,SHA256=09F53B853AD535D2A62F2D23D770E7DFD2F5CAC8D12B100698A533DDAC7C6100,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001067015Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.722{761B69BB-64B9-6080-095D-00000000BA01}4328C:\Windows\System32\dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32483-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000001545896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:17.497{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:17.497{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD602B9F449A38BE52473E9C0708214,SHA256=20552C692092949C15505D93F503CB1DB6EC7BBF1EE60DE8BFF59C1E4A9D0978falsefalse - insufficient disk space 10341000x80000000000000001067069Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:17.932{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067068Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:17.932{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067067Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:17.369{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30F26BAEC9B57C1D542D46F05B4B4FE,SHA256=6AEAA99A38027DD2C23B1E11FF5CAC1D2ECBE42D7C9A835D897624C54680F00A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001067066Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.009{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32488-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001067065Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.009{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32488-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001067064Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.006{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32487-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local49669- 354300x80000000000000001067063Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.006{761B69BB-818C-607D-1400-00000000BA01}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32487-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local49669- 354300x80000000000000001067062Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.006{761B69BB-818C-607D-0D00-00000000BA01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32486-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 354300x80000000000000001067061Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.006{761B69BB-818C-607D-1400-00000000BA01}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32486-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 354300x80000000000000001067060Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.909{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-982.attackrange.local32485-false10.0.1.14win-dc-982.attackrange.local389ldap 354300x80000000000000001067059Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.909{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32485-false10.0.1.14win-dc-982.attackrange.local389ldap 354300x80000000000000001067058Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.902{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32484-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001067057Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.902{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32484-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 11241100x80000000000000001545898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:18.499{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:18.499{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7748E0A679317DB161D5F2717C040DBD,SHA256=E07CCA4B6BE5C449D8DFEB6BED25547FF4E4F06BEE52AC7B1E5F9E527327B0E4falsefalse - insufficient disk space 10341000x80000000000000001067072Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:18.933{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067071Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:18.933{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067070Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:18.371{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F48D51DD5DCCAACFFF17F58BC38108,SHA256=5FD52B2FD3B1E0BE14815B7B50B78285063D854A7A8187E20FAAFA086CCEB32A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:19.636{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:19.635{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27AFB98BE909A7EDAFC99BEF7E1EF74,SHA256=BBB17846D75EBAAF727C473910BD1658BD583B8EFFD2298A1D07793E4CA4B60Efalsefalse - insufficient disk space 10341000x80000000000000001067077Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:19.934{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067076Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:19.934{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067075Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:19.379{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A633FFBDEB36442220B6D95205F5A4,SHA256=9649E984AB34CF687AA36866569882BA2D66F0A020D4719A722A4ECBE5B86BE6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:19.116{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:19.116{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F5868AE09255B11533851CA5967F15A,SHA256=5C46D4DB86BC8A4398805B258CD0591D1B325F085C2367AA09EBB8DA49654DA3falsefalse - insufficient disk space 11241100x80000000000000001545900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:19.116{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:19.116{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E32CA4CD75EF85C4D08657AF066C9D69,SHA256=62657100E188480A69E47FFA6582E462C0080C16ED709B761C6BAC767225805Ffalsefalse - insufficient disk space 354300x80000000000000001067074Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:14.872{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32489-false10.0.1.12-8000- 23542300x80000000000000001067073Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:19.216{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D26E4BB44E3A4DB6BF3BA605EE885D1B,SHA256=DA43DED23227535D140F9BFFE1F6A5C08D90B37E7BC569F883CCEAE6CBB55AF4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:20.704{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:20.704{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55083B5664770242E0F32A0EB745A8BB,SHA256=06643BD006D04F18F7B837326C6435C3E66E4B21603E26A85519003FB39F97F0falsefalse - insufficient disk space 10341000x80000000000000001067089Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.934{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067088Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.934{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067087Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.914{761B69BB-6564-6080-1C5D-00000000BA01}67165840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067086Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.770{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6564-6080-1C5D-00000000BA01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067085Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.768{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067084Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.768{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067083Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.768{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067082Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.768{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067081Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.767{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-6564-6080-1C5D-00000000BA01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067080Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.767{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6564-6080-1C5D-00000000BA01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067079Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.766{761B69BB-6564-6080-1C5D-00000000BA01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067078Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.385{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5F64EA61351AC5EF75C53458C97E75,SHA256=C070064A6D3896265D3CA96A8C8C9A3A57BA7FDE26447C984105895BE210227A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001545905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:17.668{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64983-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001545909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:21.707{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:21.707{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48FA38339E22B58C73B0F9AC89392E15,SHA256=4D7CDAF5974B7ADFE5EBDAF2653756ED9C28CA8C23A1F2136EBBF703558984A5falsefalse - insufficient disk space 10341000x80000000000000001067110Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.957{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6565-6080-1E5D-00000000BA01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067109Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.955{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067108Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.955{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067107Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.955{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067106Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.955{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067105Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.955{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-6565-6080-1E5D-00000000BA01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067104Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.954{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6565-6080-1E5D-00000000BA01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067103Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.954{761B69BB-6565-6080-1E5D-00000000BA01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001067102Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.935{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067101Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.935{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067100Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.771{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10DA284C5714153ABA70D1BF49162B4A,SHA256=26813ECE467E2183DA3B2904F607F53C11E3534A26A2ED5E53F88EC96A7593A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067099Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.566{761B69BB-6565-6080-1D5D-00000000BA01}35965080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067098Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.434{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6565-6080-1D5D-00000000BA01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067097Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.432{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067096Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.432{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067095Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.431{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067094Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.431{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067093Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.431{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-6565-6080-1D5D-00000000BA01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067092Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.431{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6565-6080-1D5D-00000000BA01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067091Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.431{761B69BB-6565-6080-1D5D-00000000BA01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067090Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.394{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C745CC875F9C3F1688B3522B0240097,SHA256=66108C937133D2CD439C1A0F72B0D7160BF38AD39E07C229757F88EAFA1B3800,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:22.709{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:22.709{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111208F5B1E9D56F7BE3D8230B5F2C16,SHA256=BDB0E30753F8FDA749E6C229D26D7249B827D08CE9CBF07DDE3FB978F56E0C85falsefalse - insufficient disk space 10341000x80000000000000001067113Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:22.935{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067112Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:22.935{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067111Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:22.405{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248F668B5C043AD61F6FAECDA083D463,SHA256=31691FE34D643BEE6F1FD784CEF2404B44DD1082A6467F4455DEA285E513DB8F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:23.711{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:23.711{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EC2A84BCEE200DEEEE0D323D087128,SHA256=5D834361105417E9CD0CF502102AE6258F43800F8F7B99CAD2235D49A9B3F3B6falsefalse - insufficient disk space 10341000x80000000000000001067117Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:23.936{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067116Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:23.936{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067115Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:23.409{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=199D908ED5FAAC7E8421AD42E98D4285,SHA256=AA7BB75EA293CB6D974448354D6B41B7E1946F7705680B1AF1F590308108FB4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067114Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:23.082{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7C31D95416B5A4C5D0198A8D99A6D46,SHA256=C6A720EEEF4B12D12F011747107FB937490CDBAF2BDDA3D6574E3046770D3728,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:24.714{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:24.714{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB5EC3FA6CC7F665257741B88D3C420,SHA256=D924F59840B34A305DE5B02061C2840877100D1C7AECCEEE68DEBCC670513199falsefalse - insufficient disk space 10341000x80000000000000001067120Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:24.937{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067119Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:24.937{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067118Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:24.425{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226F4C7F60046670BC4516E8FAC2D392,SHA256=0CCB5D5D03676097941AE2EF9BF718CA9114DC93D12FCD62FC28088060BE2988,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:24.128{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:24.128{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=063AA9D703CECCC7BB78D28763BA9D6A,SHA256=15786BF11C6DD591B384E0317B0295AB4CDA88480BA8454067A1123A5BE2731Bfalsefalse - insufficient disk space 11241100x80000000000000001545915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:24.128{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:24.128{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F5868AE09255B11533851CA5967F15A,SHA256=5C46D4DB86BC8A4398805B258CD0591D1B325F085C2367AA09EBB8DA49654DA3falsefalse - insufficient disk space 11241100x80000000000000001545922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:25.716{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:25.716{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9988B3A0EC1BE79F776A0F1595C729,SHA256=90E3BF0236D6B7868046D8A5A1BF1C87F560F7E9BB669AC4BE10241848EC2D08falsefalse - insufficient disk space 10341000x80000000000000001067126Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:25.938{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067125Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:25.938{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067124Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.749{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local32490-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001067123Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.749{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local32490-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 23542300x80000000000000001067122Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:25.429{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A54F0C8781A78FFB4F80B5F6F3EAED,SHA256=BF22267C347EE74AA72F5A490998496D6E994A3FD9D804A2D889F3E37315BAA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001545920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:22.679{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64984-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001067121Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:25.086{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16F8A9470F48F63CC64F301619A82D7B,SHA256=617F2081CE1A921D1CABBF1D5334B96FCBB8BB5E1B1C59F3B28EF9FFCBFEAACF,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000001545930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:26.988{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001545929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:26.988{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001545928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:26.988{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001545927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:26.988{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001545926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:26.988{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001545925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:26.988{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001545924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:26.718{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:26.718{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCC4E47CDCC7A11A834A0409A877CBF,SHA256=9BB628EBF91ADDC584CEBE72B5DBC950FB72DF30B7BC5CB5F11DF8C95BBED55Dfalsefalse - insufficient disk space 10341000x80000000000000001067130Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:26.938{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067129Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:26.938{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067128Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.763{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32491-false10.0.1.12-8000- 23542300x80000000000000001067127Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:26.434{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8FD8E192C0AB49AED6DD1DFF24765F,SHA256=167DAF936BC84427E4C187C0A23259896417CAC4CD9B20698ABB9F76ABF0D6EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067134Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:27.939{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067133Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:27.939{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067132Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:27.446{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8889BED88D89CF153B380F1B25771589,SHA256=680B6D4C603D1F23683A512731E3AD8E8BB23F9764EA319E783C65E07EBC3277,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001545980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.135{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001545979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.135{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001545978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.135{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001545977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.135{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001545976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001545975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001545974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001545973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001545972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001545971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001545970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001545969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001545968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001545967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001545966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001545965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001545964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001545963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001545962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001545961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001545960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001545959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001545958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001545957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001545956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001545955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001545954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001545953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001545952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001545951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001545950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001545949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001545948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001545947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001545946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001545945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001545944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001545943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001545942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001545941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001545940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000001545939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001545938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001545937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001545936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001545935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001545934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000001545933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:26.988{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001545932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:26.988{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001545931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:26.989{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067131Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:27.050{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=085D68C482CCE452F21C4A46E809AF15,SHA256=14CF9C9BC619401F37AE0D144E21BE289F635389CC3E060D6DDBCAA9DDB6F4F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067137Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:28.939{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067136Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:28.939{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067135Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:28.452{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80170B4B4CA0958F486A9B53289C8B0C,SHA256=755E2EA86E41953ED82900B96DCB96A32825217E744015D670BC509FFAB6B083,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:28.090{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:28.090{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7623D0F06B9A880AA2E988F06C91FB6,SHA256=D1195A5795C6C25EE9039B27300C76133D7C6C4617711E3C7BBFBEABCED9E207falsefalse - insufficient disk space 11241100x80000000000000001545982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:28.090{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:28.090{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=063AA9D703CECCC7BB78D28763BA9D6A,SHA256=15786BF11C6DD591B384E0317B0295AB4CDA88480BA8454067A1123A5BE2731Bfalsefalse - insufficient disk space 10341000x80000000000000001067141Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:29.940{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067140Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:29.940{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067139Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:29.839{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067138Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:29.455{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08ECA65675B6B0E31311C4E5D972332A,SHA256=FDD2974F217A0979FE6446569EA521C9BC2A8C9D04D550DC1206F3F294CAC4D2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:29.108{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:29.108{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CEB23B1878D77235CBE4CDEA9AB994,SHA256=E9F65447A1599E1274E8C9E03B57FA9D1BE50A1143F1F1FBC8ED9C2C640CF82Afalsefalse - insufficient disk space 10341000x80000000000000001067146Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:30.941{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067145Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:30.941{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067144Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:25.885{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32492-false10.0.1.12-8000- 23542300x80000000000000001067143Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:30.465{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D042CF2609E0AF56C6C413632C9B286,SHA256=EB5D1999FBDBF0B251C8AE18566FC84ADD2E82FE9B8D1CB974EBFD45087A5BC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001545991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:28.647{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64985-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001545990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:30.195{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:30.195{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A285351DF73411A63614582E9DEAF5A,SHA256=DF671C31D0EDE61514575CDD736F82B3AC11C9633B99A05C0607BFAD82C3AB2Bfalsefalse - insufficient disk space 23542300x80000000000000001067142Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:30.225{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D4BBCFF5DACBBFB97096658BFA89629,SHA256=48DB03F17B01D49A45E453D2018435D82CB9A45BAD7C8BA47F2B9753E26F8C48,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:30.095{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:30.095{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B2121C1400A27D87247ADE57556C4EE,SHA256=0B6337CB7FDA1AC6AB951E08828BA70B9F1305F74FD3D3197CDA2F9C3C8A56BDfalsefalse - insufficient disk space 10341000x80000000000000001067150Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:31.942{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067149Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:31.942{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067148Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:26.494{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32493-false10.0.1.12-8089- 23542300x80000000000000001067147Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:31.467{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B02413B625F5FFC9C3DF36D9C09E004,SHA256=09576B36D5D5469FC530B48325B5AE1D0004FD6E7D94466280FD8FFFAB914BA4,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000001546059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.984{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:31.984{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.984{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:31.984{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.984{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:31.984{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000001546053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.445{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001546052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.445{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001546051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.445{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.445{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.329{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001546045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001546043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001546038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000001546015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000001546013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000001546012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001546011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001546010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000001546007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000001546002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.298{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.299{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001545999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.298{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001545998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:31.298{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001545997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.298{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001545996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:31.298{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001545995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.298{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001545994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:31.298{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001545993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.266{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.265{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D55347C321E26B2535C70056416C45,SHA256=EB7B22F853FE5744A8742728A4A4B43E9C938EF3881D95B72B10609B77D0E3CBfalsefalse - insufficient disk space 10341000x80000000000000001067153Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:32.942{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067152Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:32.942{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067151Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:32.475{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF7BDC4BDA29126BBC9F4E3FB744DF1,SHA256=D3F97CBB180278D06F7E835A6368FAFF4E31068D73D74FC037E602777860AABB,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001546172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.648{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001546171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.648{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001546170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.648{21761711-6570-6080-445E-00000000BB01}46486496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.648{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.648{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001546163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001546161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001546130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001546129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 11241100x80000000000000001546127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 734700x80000000000000001546126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 23542300x80000000000000001546125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551D919C2F196F3433AE5918103887D9,SHA256=A45FBEA6E973716F12B0775FACC6CC7B01954D8C359D436A6BE88AC967F2C58Efalsefalse - insufficient disk space 734700x80000000000000001546124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000001546122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.505{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:32.501{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:32.501{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:32.501{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:32.501{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:32.501{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:32.501{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001546113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.501{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.501{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE862B409A53A63A59352FAFC85384B,SHA256=7A1FD1376B8AE13841564E416DF67E52BA26A79C4A2D2F18B647839898BB419Efalsefalse - insufficient disk space 11241100x80000000000000001546111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.501{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.501{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BCA692691709197280638EF90394802,SHA256=4420BFCDFF1019AFCDF49AEE775F94E94A77D6E96702404AD2E6C8463CF983FAfalsefalse - insufficient disk space 534500x80000000000000001546109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.131{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.131{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001546107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.131{21761711-656F-6080-435E-00000000BB01}24447840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.131{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.131{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001546067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001546062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.984{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.984{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.985{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000001546286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001546282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001546280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001546275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001546260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001546248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000001546243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.867{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.866{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:33.866{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.866{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:33.866{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.866{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:33.866{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001546234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.650{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.650{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5791FCEDB2F1F33FC419E41B002480,SHA256=CB47CAEBBD8E3215508FCEE643DD08D151EA4A2C796A42F575F55E0D8179E1ADfalsefalse - insufficient disk space 11241100x80000000000000001546232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.635{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.635{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A528408AEF384919652DFBFD468C9133,SHA256=3E1C4A8BDFA284AED996AC5BABDE316D99884FEE2BEB2BF197FD6AEB538F578Ffalsefalse - insufficient disk space 11241100x80000000000000001546230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.635{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.635{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59456862C8011FBA1F3B5F9B38C9610F,SHA256=D7364D93D5AE121932DE4C0CDF97C3AC4EB611DE7C07774628B9857915D57BB2falsefalse - insufficient disk space 10341000x80000000000000001067156Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:33.943{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067155Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:33.943{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067154Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:33.478{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433CC2AA7EA2B6739B2A1C7AAEEF02F1,SHA256=FCD57ACB099107E94B1B94C25F34BB07ADE6530A93E54D138E1CC6A56C77406D,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001546228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.334{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001546227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.334{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001546226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.334{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.334{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001546220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001546218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000001546209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001546190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001546186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000001546181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.187{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.187{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.187{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.187{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:33.187{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.187{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:33.187{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.187{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:33.187{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001546352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.938{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.938{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41B79330CDF0BF1DCA6E89F36F786246,SHA256=00E2A0728DAD95DC13B2959FFB3BDFCF4983A214352F823B1A10F3D577160F8Cfalsefalse - insufficient disk space 11241100x80000000000000001546350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.853{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.853{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4ABA5CA80CEF2DF283A65C0F618E0D4,SHA256=00E3A266F9171B4FF975CAC1F80ABA69FAE0A7D18A8319E0755C0CC60B6D5EDDfalsefalse - insufficient disk space 11241100x80000000000000001546348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.838{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.838{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D494D5B4FEB0021490E81410F15DFAC,SHA256=F22FE499D078034A655404737F49F335554E191F933EFF531D2C878C9CEF6C11falsefalse - insufficient disk space 534500x80000000000000001546346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.706{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.690{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001546344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.690{21761711-6572-6080-475E-00000000BB01}59327368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.690{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.690{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000001067159Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:34.944{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067158Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:34.944{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067157Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:34.485{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9245EC2818512C5881C9CA4D84053F7,SHA256=E2C0A09755CBAA75D257C0CB2977BF9A531293251145048BC6E26B73ADA3250B,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001546341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.574{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.574{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.574{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.574{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.574{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001546304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.571{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.570{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.570{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.569{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.569{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001546299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.569{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.568{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.553{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:34.552{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:34.552{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:34.552{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:34.552{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:34.552{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:34.552{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000001546290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.020{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000001546289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.004{21761711-6571-6080-465E-00000000BB01}70204600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.004{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.004{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000001546354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:35.708{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:35.708{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253D5FB8A521733EDAFEAF6B5A40BCCF,SHA256=AD63F9D9A5379D4864025CAFAC610E85CD9ADEEC5D1DD99E584A781F9885046Dfalsefalse - insufficient disk space 10341000x80000000000000001067164Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:35.945{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067163Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:35.945{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067162Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:35.734{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8864AB5EAF1C50E0F778D64492CC1FF2,SHA256=0F32C48A3F6857029B6924D179C9E0DE0511292E9848E7E7D9AD4877C9647F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067161Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:35.733{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C88579E98A1B3057970824D2DD0F89FE,SHA256=302221741E759D2CD4083B6ECBE81947443BA642DD6904068B3CF37EB3A756F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067160Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:35.487{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED87C1740C9727C58EF9D6FB432BA01F,SHA256=B3B7B3F48A3B75F90D9794E7E9CBCE1ED8478A90CED46E5067BDD080BC57C1FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.676{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64986-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:36.710{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:36.710{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC13A5F7BE274A26652AC9DE42F58229,SHA256=A683CA8B658A066A874EB6036E28AAC5D2CB5C8C8C906D9A29FFD11F8F02B2D4falsefalse - insufficient disk space 10341000x80000000000000001067169Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:36.946{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067168Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:36.946{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067167Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:31.767{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32495-false10.0.1.12-8000- 354300x80000000000000001067166Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:31.396{761B69BB-649E-6080-015D-00000000BA01}3716C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32494-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001067165Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:36.492{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8905DA751201E8C130452679E4C8FF,SHA256=C75E4968AAC0C538EAD663C5CFA245394CFBCBF1FEBDE42477DF789A5033D9DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:36.125{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:36.125{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40E514F42414CD60F6864C971533CB13,SHA256=5EFABF2C7B51FD0813350878C03FD919C829CCC09F82449400357DCF3C669F3Ffalsefalse - insufficient disk space 11241100x80000000000000001546364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:37.778{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:37.778{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED1DE77DE0734779AC1EFB0AAEF5483,SHA256=372C150E4FE14248823463085C9EB8F6FCDE64FE54DE544313EDC3FDE7599D5Bfalsefalse - insufficient disk space 10341000x80000000000000001067172Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:37.947{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067171Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:37.947{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067170Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:37.507{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B56055903DA5080D0AD17B99557BE37,SHA256=95218F3225B354441837E3860AF696A1AB266E2A62723EC49AE1E3822EBB9901,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001546362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:48:37.111{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001546361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:48:37.111{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001546360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:37.111{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001546371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:38.831{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:38.831{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6E71C608CA4EEB345D353A726D5125,SHA256=B780A981C921B05938C98D6ABB54751F70B8C53F6D8551DF66CA241857AEA198falsefalse - insufficient disk space 10341000x80000000000000001067175Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:38.947{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067174Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:38.947{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067173Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:38.510{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04856DD9975F71CCEEDFED93DF830B5F,SHA256=62A8C1BDA6EA86E93887FEAA5308B1CFE2F4F7DDB8760502C07A7EDFB1B02280,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001546369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:48:38.214{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000022038A\VirtualDesktopBinary Data 12241200x80000000000000001546368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:38.214{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000022038A 13241300x80000000000000001546367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:48:38.145{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001546366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:48:38.145{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001546365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:38.145{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001546373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:39.833{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:39.833{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BF2D5E76923A8C241A1019A7EE9C24,SHA256=46E7D56CB9F2149E00C85ADE0B88EC5128C38138EFBFE7A9853AAAEFDD0AC846falsefalse - insufficient disk space 10341000x80000000000000001067178Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:39.948{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067177Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:39.948{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067176Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:39.516{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2FE3DB7399B6635C5CB047528E357BC,SHA256=28047A9779CBAF7E4A03FDF5FD7B6EFD9796B9648532A8D5B2587E4B0A8C4610,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067181Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:40.949{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067180Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:40.949{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067179Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:40.519{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0190A470205F0B8039712F7A0AF0C7AD,SHA256=71A33189FBF6EAADB9B9ADE1C782967583EE889E5F0C4FCDD62A3AFB3A21A99E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067187Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:41.950{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067186Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:41.950{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067185Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:36.909{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32496-false10.0.1.12-8000- 23542300x80000000000000001067184Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:41.522{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CE833B8787645F10F10DE3603CDE46,SHA256=E1C4C4BC8D86FE133CA76131A05A6317EC5BF5A228C9B0DB0037C48A38C791BC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:41.188{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:41.187{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C43710642D1876780EAA09C6C9FEE54,SHA256=8E5431D469600DCCDA5853875723465FAE7CB4F9045627C8F53938890CF877D9falsefalse - insufficient disk space 11241100x80000000000000001546377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:41.187{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:41.187{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E09EC093240FD147DE70E07A11BDF54F,SHA256=9258931434F8C18D097462716D4F763D63B3A69E2763D888335987DCA0DBB81Dfalsefalse - insufficient disk space 11241100x80000000000000001546375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:41.068{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:41.068{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7136B04A308956BEFF7BD04103972F4,SHA256=ED5103234EDC09E7E0ED16A0EA5606C120D766E76E1BED622F0DD183AE5513FCfalsefalse - insufficient disk space 23542300x80000000000000001067183Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:41.333{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8065E252578666B0CE47DA5D0185C455,SHA256=85488E6179464CE3E9C88F638047A600783491ED512BD0134085147057748F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067182Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:41.332{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8864AB5EAF1C50E0F778D64492CC1FF2,SHA256=0F32C48A3F6857029B6924D179C9E0DE0511292E9848E7E7D9AD4877C9647F7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067190Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:42.951{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067189Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:42.951{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067188Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:42.525{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB167FD4BCAD5F5A6D9C7068E48F8BB2,SHA256=B54CBDDAECBD3238D2E5660A9118B4816C9F57E30C8DC4FA6FC9E7943C00B884,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:39.719{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64987-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:42.070{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:42.070{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9D41CDD9D1837C0C2384C3894B6D43,SHA256=3CEB27A837E39B9F8E2E1D239D05BA4CD439441FB6FF69AC569BEA94510B713Afalsefalse - insufficient disk space 10341000x80000000000000001067193Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:43.952{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067192Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:43.952{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067191Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:43.744{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE0F241724DEC4BB706C58C538788C4,SHA256=5878507B23BFA7EAFC3F29C6684267294D3092691176C5F737D9579D48DE027E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:43.191{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:43.190{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F729D38BC759E096E68861FF4B0B8381,SHA256=9077B8EC5FD0375003461CBD59B636A8AEBABD0895AD6DF8C72F7F58A2BAB5BEfalsefalse - insufficient disk space 10341000x80000000000000001067196Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:44.953{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067195Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:44.953{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067194Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:44.747{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99127AB0CCF0538C7AA08007E3B4096,SHA256=BEABEB28D956931CD25682130321E31C8A306069C221B4E5979AE37EDE06A882,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:44.193{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:44.193{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E4F6C745CE64128133FB171B8EDE88,SHA256=05999F0B485008823F3AD1DBA319A4C87F8576AE13E9D8B7B291B4FD0D916AE2falsefalse - insufficient disk space 10341000x80000000000000001067199Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:45.953{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067198Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:45.953{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067197Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:45.771{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C57C5D4D3010DC7308593C9D45C5A72,SHA256=5DB3D42EBEF4C22A1E6AF34F98ECB3177C93D6D93F3886A40982BD7667CE8C1A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:45.196{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:45.196{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA7A1F8E43F953D234C64127BE99880,SHA256=480DA90A65FC3439D1049FE53064F24117E9E8F796BC73E9BB1B43131A3DBF13falsefalse - insufficient disk space 10341000x80000000000000001067209Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.954{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067208Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.954{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067207Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.777{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8260B5E0624C5BA6AC9340607C557DD0,SHA256=7B5D9C804B7706A57A095F70AB4AD0EE9F5DB18DA3ACC1F08E69AB7257BAF613,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:46.199{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:46.199{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49DBCE01FCAB7F6AB7047D06BB06D00,SHA256=DA447779D5CE757104FCB6FA36E88B15C94C81A6A3F4E6E0B94975B9E0E1FEDBfalsefalse - insufficient disk space 10341000x80000000000000001067206Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.139{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067205Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.139{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067204Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.139{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067203Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.138{761B69BB-84D3-607D-0403-00000000BA01}3725160C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067202Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.137{761B69BB-84D3-607D-0403-00000000BA01}3725160C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067201Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.137{761B69BB-84D3-607D-0403-00000000BA01}3725160C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067200Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.137{761B69BB-84D3-607D-0403-00000000BA01}3725160C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067215Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:47.955{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067214Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:47.955{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067213Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:47.785{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385E04C9FA7C011DA58F5EE3B46441D9,SHA256=981E30200838557838FE6E0E8D011A84967070B0989A87306B8379E0BC4D5E44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:45.703{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64988-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:47.336{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 11241100x80000000000000001546395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:47.336{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:47.336{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0623B6026CA96A6198B2EB41050588C4,SHA256=84157CF9DF08E06FF71D951108650231AC4555D016F263685B4C23639ADA3965falsefalse - insufficient disk space 23542300x80000000000000001546393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:47.336{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCE10E2B718DE5EB78FE8D4A3E958D1,SHA256=61CCF704A69FE9C01C95393853A5151F8ABC6216361E7FAEF710066711760A5Ffalsefalse - insufficient disk space 11241100x80000000000000001546392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:47.336{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:47.336{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C43710642D1876780EAA09C6C9FEE54,SHA256=8E5431D469600DCCDA5853875723465FAE7CB4F9045627C8F53938890CF877D9falsefalse - insufficient disk space 354300x80000000000000001067212Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:42.787{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32497-false10.0.1.12-8000- 23542300x80000000000000001067211Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:47.121{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=061214CF3B4DA26659A24E894369F9B9,SHA256=63C45F018CDDE729F9E49D7A308B483F5DDC58E4950E543814292339852DD003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067210Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:47.120{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8065E252578666B0CE47DA5D0185C455,SHA256=85488E6179464CE3E9C88F638047A600783491ED512BD0134085147057748F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067219Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:48.956{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=12EA87B1E6DB9890B50620DE12FDD4A8,SHA256=A7304C2DBF51AAB73F952FB72D5CD5A93F3C29AEABFDF4BE9CFFE7F6C3E554AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067218Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:48.956{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067217Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:48.956{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067216Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:48.788{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69465A5B7F37E4CA20D898F19600464,SHA256=CC47A25015CB1B3480604A7E8AD68432A8D4B73B9862C689396A2BFAFCF213E0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:48.423{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:48.423{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7B1F48FDCD5CABC4026B734DDBFD73,SHA256=0E317521CD8EE7B5B4D20B8CD327B86640F89471E1AB8B5A3CF7B1AE50F79190falsefalse - insufficient disk space 10341000x80000000000000001067223Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:49.957{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067222Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:49.957{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067221Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:49.797{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A236720BE5D577564A120C70B307F7D,SHA256=63DFE632D512922ECBB5B3BCB43517800681BABE05B1AC34B09054F5B86E1CC8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:49.457{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:49.457{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFD959B11D927F6805F14EE91D81179,SHA256=BB00D534FCE89FCB6D6A6F098AEAFF0C9283875ACA3B211ED3DBED6D4E2909A1falsefalse - insufficient disk space 23542300x80000000000000001067220Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:49.526{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=061214CF3B4DA26659A24E894369F9B9,SHA256=63C45F018CDDE729F9E49D7A308B483F5DDC58E4950E543814292339852DD003,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067226Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:50.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067225Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:50.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067224Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:50.808{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ABCFE12938E6470B7DE660C098FAC62,SHA256=04D736508DDA2537DFFB9C5C046262BCDF200F365D3C776327B70044B23BEA6F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:50.508{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:50.508{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A61BF41738F8CEE028CF01393AD592,SHA256=547136628C06D1CA09AD1B678C47149E159EBFAC08BABAB44B47C836E9000D89falsefalse - insufficient disk space 10341000x80000000000000001067231Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:51.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067230Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:51.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067229Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:51.820{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDB2378F7EE7A50B764EB101AFB77DF,SHA256=A01650646AA218C8BE9101DC6E2D37598CD1FE7407E6ECAD91BF2E07A5176B99,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:51.512{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:51.512{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1BFA847BE7A81C4E3FC2CD69ADAABA,SHA256=E02B5A0FD925312E275B2350BF785EC0B9456F3D5647CAB30E3206A9C0E35E81falsefalse - insufficient disk space 23542300x80000000000000001067228Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:51.369{761B69BB-646C-6080-FB5C-00000000BA01}5716ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-16\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio15518224995390932516.tmpMD5=AB93A489F8BDB3A5D88E43E9F0CE51E1,SHA256=3D23E28DDE1CF81CD868567E5F0DE637F04D41C9B624B24B4A85729A748CBF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067227Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:51.336{761B69BB-646C-6080-FB5C-00000000BA01}5716ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-16\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio6313555939343990966.tmpMD5=BAADE56E37F86B9B425892758602EC26,SHA256=34FB07B1874FD9CEA3C4D5D94999C3F2B1921E9B93805DAE30BB36E8255038E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067236Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:52.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067235Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:52.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067234Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:52.827{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B130B05A70B43544C16648F6AFCBB1,SHA256=1366461F780DC8B2C87437C44F171AFDC7A0D9FA70DCCF1D4EFC8D39C64C6C8B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:52.533{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:52.533{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DBA52A711935AE8CF50DB08D767EED,SHA256=8A8F3423341B68059167DDF83E98D72BC9459DA89F1222D03FC9347256CBE30Bfalsefalse - insufficient disk space 354300x80000000000000001067233Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:47.493{761B69BB-64B9-6080-095D-00000000BA01}4328C:\Windows\System32\dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32498-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001067232Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:52.055{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FA74C1D39EBF830DE524E6DD36ACE81,SHA256=CDF247D972C76C3D6C7CAB299C424B2E55746FB0AAED7713429A6F6B070D67CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067241Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:53.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067240Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:53.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067239Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:53.833{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27049F8451D0612AE8AFAE46469CF1D,SHA256=8E424B5414D70B1C463B777E8263EF1D75D29A7D568A4AE883361E6F3A5067F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:53.636{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:53.636{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30348CEB5828763D6DC2F62C503A0F9,SHA256=06207D01D2E8205FCAC303B6779ED291568B0066EDBB80693B22FD89B8600BD2falsefalse - insufficient disk space 354300x80000000000000001067238Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:48.677{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32500-false10.0.1.12-8000- 354300x80000000000000001067237Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:47.502{761B69BB-64B9-6080-095D-00000000BA01}4328C:\Windows\System32\dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32499-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000001546411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:53.135{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:53.135{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31138A48AAB0888041EDC776E4EC0B3F,SHA256=765493F45A3E7FCDD0BA94B37D42931CF5317221CE48A51CF1ED5F9028173FF4falsefalse - insufficient disk space 11241100x80000000000000001546409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:53.135{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:53.135{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0623B6026CA96A6198B2EB41050588C4,SHA256=84157CF9DF08E06FF71D951108650231AC4555D016F263685B4C23639ADA3965falsefalse - insufficient disk space 11241100x80000000000000001546416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:54.669{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:54.669{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D48F14C51775CC87AF2029A9DE51BD3,SHA256=6EA1924724ECF51D6A3A2E1D1CD8A2CEC6CD166CFA4C80D0FB7BCFBA4A603262falsefalse - insufficient disk space 10341000x80000000000000001067245Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:54.959{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067244Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:54.959{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067243Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:54.836{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDD84D895368DF25500018AE80459B6,SHA256=8B92109EC1617CFB1B24A6C7B5150BF1CE0BB665802E3101541E081A81F2C130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067242Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:54.518{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CE3D8E594F1053EAF1A10104AC752DE,SHA256=DDFDFBCF15C03580B4E6EC46AD4DA0181804BF87BB62317863E92F66CC7F9570,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:51.686{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64989-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:55.672{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:55.672{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF444B9AD103A29CB28C0219C0009A8,SHA256=BD7C2045A74B52ECBCA088343CF43CAF88AC2CA45486BF8E985F8639336AF0B9falsefalse - insufficient disk space 10341000x80000000000000001067248Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:55.959{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067247Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:55.959{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067246Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:55.838{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A956CC6A96FDBEDA1AF6CBE1F1E0813,SHA256=9F371DBB79C33DBB39BAD2FC9594FFB1B2F786F9C30F100FD419E72DB80B1A7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067251Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:56.960{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067250Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:56.960{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067249Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:56.846{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FD65932FFCB92D7F53B1FF55A5EADC,SHA256=F28EEF4D8E53D7931D32CDC84D1EFD6FA8938A40F8057F148D4D966E906E6A36,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:56.674{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:56.674{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB36F2253806FEB49407028623E40EC,SHA256=7C2B0285FC4BC372687E65EBCFB622F389BFA4A14A858714D0ADCA3ACF7B9759falsefalse - insufficient disk space 10341000x80000000000000001067254Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:57.961{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067253Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:57.961{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067252Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:57.851{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE2574BB207C82839E185546D7CB7F6,SHA256=D55E7619999EFA6B3D63221ED5B21A5ACB6A0CA7BE558B984895CA0DC70169B0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:57.708{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:57.708{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75851518103BF7EB4E0E7892C5F982B6,SHA256=0F0F62E4D8AA8F4CF819A0ABF898B0E4950FA58D81B620419E6A91103B0FE40Efalsefalse - insufficient disk space 11241100x80000000000000001546429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:58.795{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:58.795{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384A0459183D4AB6652D16E93FFEC6C3,SHA256=301B5BD3AF951E3CB53230B627B4586695832C395697F527D4987053591773C8falsefalse - insufficient disk space 10341000x80000000000000001067259Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:58.962{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067258Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:58.962{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067257Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:58.868{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1BC55A092541D54A5B6397C30CDF3D,SHA256=826F1B916247DAA3FE669B812D6AC5B37DD3F52393B62E40523108187957D4FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001067256Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:53.802{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32501-false10.0.1.12-8000- 23542300x80000000000000001067255Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:58.152{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CBC7F3C03D81B27DF2DF9DDA59D178B,SHA256=DAD753219E31693EAAA92E8AF364608CDD54417380944396646FF699A5255927,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:56.698{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64990-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:58.294{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:58.294{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=444DA4ECA64853ADBFAA1145D21EE838,SHA256=A1144CFCA718AC4F9900D808EF37CACFCABF9120C433A1564AD0FCB67140C4A2falsefalse - insufficient disk space 11241100x80000000000000001546424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:58.294{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:58.294{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31138A48AAB0888041EDC776E4EC0B3F,SHA256=765493F45A3E7FCDD0BA94B37D42931CF5317221CE48A51CF1ED5F9028173FF4falsefalse - insufficient disk space 11241100x80000000000000001546431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:59.966{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:59.966{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF62AF2F99F35774385708C9B8DF3DA1,SHA256=96B6A3F8983EEE427E215B04350B5A9FB9823735FC9628EFF202348473896B63falsefalse - insufficient disk space 10341000x80000000000000001067263Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:59.962{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067262Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:59.962{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067261Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:59.876{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C5017D4CAD5CE290DDB85C89C98A77,SHA256=7C0E25D3D86BDFCC81197CBBCC839DDA6D2DEB98ED8818531CD54F14AE05B987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067260Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:59.425{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4432D112F1729BCA52A71D6B569AF184,SHA256=8F1C758924624D5A135BAB1429D9AA07B3C2AAF9AA346E20D145EABC2CD05EDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067266Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:00.963{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067265Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:00.963{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067264Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:00.883{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8948BEF8DE252CC4B68BDB7B3379EC9F,SHA256=D147D16CB4EA02D032F0FEA342E6930B0BA507C6823AB2B8B47CA990CBD9C0D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067269Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:01.964{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067268Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:01.964{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067267Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:01.887{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F79CDFD9B27221D78B997C0C7B07F73,SHA256=8CACF3407615F2F550E623B7B08670985A8DB001A2DDF3CA9E4158B891139233,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:01.075{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:01.075{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2943BB72DCE6B091C9444A21EB8F60B6,SHA256=9DE1E1974D799201D556A1056A88E75FD8D904EC2942173E89CF0A040EA50BEEfalsefalse - insufficient disk space 10341000x80000000000000001067272Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:02.964{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067271Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:02.964{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067270Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:02.890{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1260723EC9F10E83F9388C401B38D083,SHA256=EB15BC244F38FA4476919C96724436B9BACDA4A22C858D550B9B3E54491CFEB1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:02.303{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:02.303{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7B66A6CCA2F43CF3DE52158F70D5E6,SHA256=EAE271B9D7A69F71319288248D76907AEEF1840C1D6F7A8C1052AB0379E110AAfalsefalse - insufficient disk space 10341000x80000000000000001067275Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:03.965{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067274Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:03.965{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067273Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:03.892{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0831D1966259EC063E4ABB1928A66518,SHA256=886F3F86FBC1DDD29DF985512B7932BA8B651201B463BEE5E0DCD051C3C0A952,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:01.772{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64991-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:03.359{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:03.359{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B57581B80851BB90B7E8226E6840B0BF,SHA256=356D1B4761B19A1D7CA2651D547AA13E38CE5DA2B244D544CFF9484CCAA3B25Dfalsefalse - insufficient disk space 11241100x80000000000000001546439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:03.359{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:03.359{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=444DA4ECA64853ADBFAA1145D21EE838,SHA256=A1144CFCA718AC4F9900D808EF37CACFCABF9120C433A1564AD0FCB67140C4A2falsefalse - insufficient disk space 11241100x80000000000000001546437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:03.321{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:03.321{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9EF8DAFF66A87FBA681ADCA6AD4611,SHA256=62D1812AE51649DB1D6C3B65C4FAAEC07CFCD8975C5CCD1E586C00524EA864B2falsefalse - insufficient disk space 10341000x80000000000000001067280Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:04.965{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067279Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:04.965{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067278Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:04.902{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204440512D90F1039EE250DDFD746614,SHA256=784D9C8268559B6DEF9E22653A508C8AB90A1AD0D6F517C6B4B892055EA85CCC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:04.323{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:04.323{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CB52822CE08EC902ADC915B49D1778,SHA256=5AC0AA00D13AD1511E99A0CC14C25786EE0A2CD630BDBF9D575BF3C343D8792Ffalsefalse - insufficient disk space 354300x80000000000000001067277Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:59.688{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32502-false10.0.1.12-8000- 23542300x80000000000000001067276Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:04.019{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=606243D6FEF0786574A4130626EE8D5A,SHA256=EC5CED6C510BC471FDDC2992FE744D2315A29F7988E7A092B0BBA297E623D1C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067290Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.965{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067289Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.965{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067288Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.922{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AFEE46922A52C8D8F4A88181E60CCF,SHA256=87C7EA377442AE7F6339E21E39B46FE3D905F2F81AE0952FDAD8F377AA370679,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:05.326{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:05.326{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D687FE4D91F960B64362427DAA316C94,SHA256=5F5B45CA72EBE5B724573FE9688BC3DDB65916664C12628E881EA441688C4031falsefalse - insufficient disk space 10341000x80000000000000001067287Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.614{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1500-00000000BA01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067286Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.614{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1500-00000000BA01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067285Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.614{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1500-00000000BA01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067284Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.459{761B69BB-84D3-607D-0403-00000000BA01}3723268C:\Windows\Explorer.EXE{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001067283Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.459{761B69BB-84D3-607D-0403-00000000BA01}3723268C:\Windows\Explorer.EXE{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067282Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.459{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb4abaac.TMPMD5=95E355D75CB9B0A6D076CE414DF2B1F4,SHA256=0C9CCEB014A154B30949E1761541EBBD3B0FC9CC2554B5C0868A7F1CDB481C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067281Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.451{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wcognp7t.default-release\datareporting\aborted-session-pingMD5=202B00AA9695E1CFA2EE08BF07AF3D5D,SHA256=3287AAD58AEFA0B09A75A4C3C9121C1DB4B5528B210BC6D5D6DB882501FB9DDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067294Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:06.966{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067293Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:06.966{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067292Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:06.933{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764FA483F31D33BC35BA93F973B1CC21,SHA256=A226A060AA6D922F353E189F3115AFF7A60E11019BB9EEBB98B367AA5817A434,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:06.529{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:06.529{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F84AE15217956814D704FE296B504E1,SHA256=4BADDD81807BFC53F1E9D9FF60D3493AA4235C70C989FF9A21D95C60DD9C3AB4falsefalse - insufficient disk space 534500x80000000000000001067291Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:06.646{761B69BB-649E-6080-015D-00000000BA01}3716C:\Users\Administrator\Desktop\64_dllhost.exe 10341000x80000000000000001067300Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:07.966{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067299Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:07.966{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067298Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:07.947{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DD9B73A4CE2E2FB5BD650973AF1F0D,SHA256=1379C2449C49A8922F8F8D4DBBDF0C54B7AAB83958D72444ABDFB7626D1138BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:07.531{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:07.531{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDD1DF4C4183B7E630E1A3FFE8067F1,SHA256=8D70A746B1440165B8AF9B9BCC34D31675215547B5AD068545732BCB52892886falsefalse - insufficient disk space 23542300x80000000000000001067297Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:07.637{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FE98EC160C10144C08D5458D15A6797,SHA256=38E6BEBA3BCC69BE98FD2BBB357A3C32B2988C293D7F32F2B162FBC75DD6CF74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067296Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:07.379{761B69BB-646C-6080-FB5C-00000000BA01}5716ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-16\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio9532780782181384102.tmpMD5=AB93A489F8BDB3A5D88E43E9F0CE51E1,SHA256=3D23E28DDE1CF81CD868567E5F0DE637F04D41C9B624B24B4A85729A748CBF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067295Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:07.346{761B69BB-646C-6080-FB5C-00000000BA01}5716ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-16\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio2352388016338203379.tmpMD5=BAADE56E37F86B9B425892758602EC26,SHA256=34FB07B1874FD9CEA3C4D5D94999C3F2B1921E9B93805DAE30BB36E8255038E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067318Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.972{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45DE8714F1A430C27C24764B3CC14E2,SHA256=5ACA493351C49CB1FA29278B8FEA4B34C0C86A1CBFC748A40515CBD801455EA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067317Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.967{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067316Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.967{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001546454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:08.534{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:08.534{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619719C9992C46BE4DEF52C316D02F05,SHA256=10F44EB4994BD4B91EF7835B0D0D64165C1FB4D2D8BC31509317133751F987EAfalsefalse - insufficient disk space 13241300x80000000000000001067315Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.localInvDB-VerSetValue2021-04-21 17:49:08.657{761B69BB-818C-607D-1200-00000000BA01}612C:\Windows\System32\svchost.exe\REGISTRY\A\{2324e785-6857-4bd5-a835-6bfa35e4ffb1}\Root\InventoryApplicationFile\64_dllhost.exe|ddef3887600fc40b\BinProductVersion(Empty) 13241300x80000000000000001067314Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.localInvDB-CompileTimeClaimSetValue2021-04-21 17:49:08.657{761B69BB-818C-607D-1200-00000000BA01}612C:\Windows\System32\svchost.exe\REGISTRY\A\{2324e785-6857-4bd5-a835-6bfa35e4ffb1}\Root\InventoryApplicationFile\64_dllhost.exe|ddef3887600fc40b\LinkDate06/09/2020 00:17:28 13241300x80000000000000001067313Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.localInvDB-PubSetValue2021-04-21 17:49:08.657{761B69BB-818C-607D-1200-00000000BA01}612C:\Windows\System32\svchost.exe\REGISTRY\A\{2324e785-6857-4bd5-a835-6bfa35e4ffb1}\Root\InventoryApplicationFile\64_dllhost.exe|ddef3887600fc40b\Publisher(Empty) 13241300x80000000000000001067312Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.localInvDB-PathSetValue2021-04-21 17:49:08.657{761B69BB-818C-607D-1200-00000000BA01}612C:\Windows\System32\svchost.exe\REGISTRY\A\{2324e785-6857-4bd5-a835-6bfa35e4ffb1}\Root\InventoryApplicationFile\64_dllhost.exe|ddef3887600fc40b\LowerCaseLongPathc:\users\administrator\desktop\64_dllhost.exe 13241300x80000000000000001067311Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.localInvDBSetValue2021-04-21 17:49:08.647{761B69BB-818C-607D-1200-00000000BA01}612C:\Windows\System32\svchost.exeHKU\S-1-5-21-868614410-3820876872-2839617749-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Desktop\64_dllhost.exeBinary Data 354300x80000000000000001067310Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:03.310{761B69BB-649E-6080-015D-00000000BA01}3716C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32504-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000001067309Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:03.302{761B69BB-649E-6080-015D-00000000BA01}3716C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32503-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001067308Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.055{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6594-6080-1F5D-00000000BA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067307Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.053{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067306Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.053{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067305Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.053{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067304Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.053{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067303Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.052{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-6594-6080-1F5D-00000000BA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067302Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.052{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6594-6080-1F5D-00000000BA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067301Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.052{761B69BB-6594-6080-1F5D-00000000BA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001546452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:08.302{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:08.302{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B57581B80851BB90B7E8226E6840B0BF,SHA256=356D1B4761B19A1D7CA2651D547AA13E38CE5DA2B244D544CFF9484CCAA3B25Dfalsefalse - insufficient disk space 354300x80000000000000001546457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:06.822{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64992-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:09.554{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:09.554{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159438A93719E06E192F30906E274BFA,SHA256=FBDC67AF1E75B618F55443867C34E4C45B125F0F63F10C30FD6A3155AE4E33CEfalsefalse - insufficient disk space 23542300x80000000000000001067323Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:09.973{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B05DFB3C4BFA25107F07DE9AE49FF8,SHA256=AE0EAE39E2AA6ADB37E6901CF97D391A360E3D64971B588CDE9E2FD51FF053E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067322Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:09.968{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067321Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:09.968{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067320Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:04.820{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32505-false10.0.1.12-8000- 23542300x80000000000000001067319Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:09.056{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62213444320A88C4BAF8204E02005C14,SHA256=184498BA16DE7CB7ADD40F48CEA56FF735E7C7671BD296A873E5C3AE1612DB2D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:10.792{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:10.792{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C2DDE07562A3755E3C08774E348B40,SHA256=EE710263BFD07A81F807E5DDFBC49A497CAF9AC28E7C784C6EAC06E94F10E445falsefalse - insufficient disk space 23542300x80000000000000001067326Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:10.997{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1958EE467510BA23B0BD7A907E13277C,SHA256=1B60E80ACD5E3EFC0F7C725A1CB4A392DC7858CAFEDC3E36190CAD0BF01C998C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067325Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:10.969{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067324Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:10.969{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001546463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:11.995{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:11.995{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE2AFCDBFA9999AAE299D72F4004268,SHA256=74F91B84D88BF8895E941DD355485DE4BBD1A28EB91A5463B6D2C8A5C96DCF66falsefalse - insufficient disk space 11241100x80000000000000001546461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:11.309{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-04-19 13:20:46.436 23542300x80000000000000001546460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:11.309{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4BA7F9BA2C04D3B880AF2349B45FCEB2,SHA256=7C5E6C16A48FDE44935CE5B99A614B174E6424A550B17D9356A0994C380254A9falsefalse - insufficient disk space 10341000x80000000000000001067337Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.969{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067336Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.969{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067335Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.869{761B69BB-6597-6080-205D-00000000BA01}1688712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067334Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.734{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6597-6080-205D-00000000BA01}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067333Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.733{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067332Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.733{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067331Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.732{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067330Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.732{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067329Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.732{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-6597-6080-205D-00000000BA01}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067328Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.732{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6597-6080-205D-00000000BA01}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067327Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.731{761B69BB-6597-6080-205D-00000000BA01}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001067357Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.969{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067356Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.969{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067355Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.901{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6598-6080-225D-00000000BA01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067354Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.899{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067353Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.899{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067352Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.898{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067351Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.898{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067350Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.898{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-6598-6080-225D-00000000BA01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067349Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.898{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6598-6080-225D-00000000BA01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067348Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.898{761B69BB-6598-6080-225D-00000000BA01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067347Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.271{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C40147433EF9BE979E2C66700937B104,SHA256=5E398D8BBB42541CAABA8D2C2F4009FF55D555F336DAAB1490A15D0EC5E6900E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067346Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.234{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6598-6080-215D-00000000BA01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067345Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.232{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067344Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.232{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067343Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.232{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067342Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.232{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067341Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.232{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-6598-6080-215D-00000000BA01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067340Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.231{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6598-6080-215D-00000000BA01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067339Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.231{761B69BB-6598-6080-215D-00000000BA01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067338Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.009{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF67017D5FA8130F723A31692E70EE36,SHA256=832B469AF6EA7217A013CE7CD05DC597EE00025C078BFD2A85727D643BD9ABE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067362Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:13.970{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067361Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:13.970{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067360Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:13.385{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F52582161802FD87B82A9F2E7FC4BF0B,SHA256=5AD14C2850F2689CEBF2073037D8C03DB83B7A683DD85ED20168198A77E3CDA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067359Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:13.035{761B69BB-6598-6080-225D-00000000BA01}20726264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067358Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:13.034{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35DE7DA98E65F8407AF8A431D02AA8F,SHA256=8AF8FD36822F7DC4D6B99FD820F3037492B8E6BAE025647582D3C7EED645D955,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:13.165{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000001546466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:13.165{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 11241100x80000000000000001546465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:13.113{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:13.113{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70079624E25A98142410BF54D8D7669,SHA256=AB6AE4B29F7AAA957FE85167339093C19940F73E9E57026A046051723E60A83Cfalsefalse - insufficient disk space 354300x80000000000000001546475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:12.698{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64994-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000001546474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:12.636{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64993-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:14.116{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:14.116{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816316699FC89400F0F663A843D6BC25,SHA256=B305C336D8E4EB40E8A876D28D2F77E181628744A1333F87F0FEF2F699FA1BD7falsefalse - insufficient disk space 10341000x80000000000000001067365Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:14.971{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067364Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:14.971{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067363Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:14.038{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E872C47D20BF5BDD8E0681A720959B,SHA256=9E89A09E61B7B88B2D6665AFD5EFFD0123485B282F14B4F23B5952C7AB6D8886,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:14.084{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:14.084{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B6ED663CAA47B1594060CE7FEEF47C3,SHA256=62D8BB891AF4A51C5BDB0ED198DAC4418692304EEB309DF520E992E8DE4D4463falsefalse - insufficient disk space 11241100x80000000000000001546469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:14.084{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:14.084{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56C624890137AC547EBD1D76AD485B98,SHA256=2C1CCC123F9D8862C9A9FBF1CFD9A71D5523AC1FAE9CDA495602EC25A41AA233falsefalse - insufficient disk space 11241100x80000000000000001546477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:15.350{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:15.350{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D7C90E5A27144C2C1ABAA11728D188,SHA256=F861EE4786A41BB6C72533F157DB97FE4BAA9196EDB6C5A7EDAE2E1B83A9485Afalsefalse - insufficient disk space 10341000x80000000000000001067370Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:15.972{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067369Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:15.972{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067368Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:10.698{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32506-false10.0.1.12-8000- 23542300x80000000000000001067367Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:15.044{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5786E982A9E9661A7BCFE7E98424FB56,SHA256=32D385F64B6EE40550B9CCA8EF74F612FCB51253FF813BFE3C9575A30366D301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067366Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:15.031{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDB346A67D0ED28F48C5F113E9DAF92D,SHA256=1F224FAD9A55A7B0738016BAF44A00242473C430EBFC29BAC483741DA2FFA667,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067373Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:16.972{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067372Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:16.972{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067371Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:16.050{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=393B87CECC98935270EA1BA70901C5D8,SHA256=3B6F0A3AB0810A4E6C39BBFBBE7E4C50DA922B4D8E102347A717C1D95AB19408,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:16.406{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:16.406{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3F1A82B65F7F9ACFBB7FFA93D1D2FA,SHA256=933311E1E1FB047E874B49EF826BC337DB586AE36553BAFDEF20C7AFF9A8A857falsefalse - insufficient disk space 11241100x80000000000000001546481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:17.408{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:17.408{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106161C75D8256E4E6D4503E080C84F5,SHA256=D40E4E30228F12394D94B8AD76FA34A3AF2895C74DC31438CC27030199350E8Bfalsefalse - insufficient disk space 10341000x80000000000000001067376Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:17.973{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067375Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:17.973{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067374Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:17.057{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD99907F494797DB26CB7926C89CC05C,SHA256=7819023253469A72A86E1E91C16FFC1BBCE7538491B106A6825BFBB391D3D076,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:18.526{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:18.526{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95712565E95A72634C972BB01CA56B89,SHA256=057AEF14364648B8DBE7CDEB6261A1C8CAE25142BEF0FEE00A8A37B4336B8953falsefalse - insufficient disk space 10341000x80000000000000001067379Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:18.974{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067378Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:18.974{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067377Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:18.065{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=887DED4490C6BF71772C143356CB50B2,SHA256=2C8742FC4068EF1EBD8DD04833A18637202F4D8F260C9B7ACB63BAE250E19A71,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:17.679{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64995-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:19.544{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:19.544{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA69A72382DA70446BD5BE1106D18BA,SHA256=E2F4C3A94BB2DBD69A4C6EE373BCAC4AAA05B021185EBABFB00004048BC9DBAAfalsefalse - insufficient disk space 10341000x80000000000000001067382Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:19.974{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067381Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:19.974{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067380Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:19.081{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F34F17B4C2C803B197388B4F55E39C,SHA256=B1945F98ABD331065A13FE1578490AF7F09E0ABF2C338E37119977DFE2C0CF8B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:19.213{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:19.213{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A010FDDB1B04678C96B0282EB27D6A60,SHA256=67A51916365B405F4458353529FB796652B0DC312DB5D853A0BB4CA59326868Ffalsefalse - insufficient disk space 11241100x80000000000000001546485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:19.213{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:19.213{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B6ED663CAA47B1594060CE7FEEF47C3,SHA256=62D8BB891AF4A51C5BDB0ED198DAC4418692304EEB309DF520E992E8DE4D4463falsefalse - insufficient disk space 11241100x80000000000000001546492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:20.547{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:20.547{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3422E2F4CE4DA522D8EC553C0C23C9B2,SHA256=A8B88F388E9B575CBB7B34A99A48BFA7673DF5C00FB37696B992C27E37299F1Dfalsefalse - insufficient disk space 10341000x80000000000000001067397Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067396Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067395Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:15.832{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32507-false10.0.1.12-8000- 10341000x80000000000000001067394Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.911{761B69BB-65A0-6080-235D-00000000BA01}69487164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067393Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.770{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-65A0-6080-235D-00000000BA01}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067392Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.768{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067391Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.768{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067390Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.768{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067389Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.767{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067388Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.767{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-65A0-6080-235D-00000000BA01}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067387Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.767{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-65A0-6080-235D-00000000BA01}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067386Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.766{761B69BB-65A0-6080-235D-00000000BA01}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067385Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.165{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B11C7DF730A641DD4A24AA0D62D072DB,SHA256=9A225ADC7EDF8A3D0ACCCBF9CCB8653CBBCC1432B61F33D2882EA36E6133EBB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067384Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.164{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC1BFF729C8AD7E535CE2C54735044EA,SHA256=06C3EE26AB430CDA012C27DD61673F2E92C64985037B26A98D3A435FC1BD6C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067383Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.089{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484697CADF2E738B1B7C40768BE6785F,SHA256=29F9A9BD994A1E898A0D3D9BEF88AE976EC6D29C8C8F5D9ADA7B299928ADA8A9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:21.766{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:21.766{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3C239A69F6F60BBF20391728E0F530,SHA256=12F17B709B9478488A136587C20BA9433C28F7F08AE6286C72AFF0CB1FA5A4B3falsefalse - insufficient disk space 10341000x80000000000000001067409Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067408Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067407Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.770{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B11C7DF730A641DD4A24AA0D62D072DB,SHA256=9A225ADC7EDF8A3D0ACCCBF9CCB8653CBBCC1432B61F33D2882EA36E6133EBB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067406Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.433{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-65A1-6080-245D-00000000BA01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067405Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.431{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067404Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.431{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067403Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.431{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067402Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.431{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067401Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.430{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-65A1-6080-245D-00000000BA01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067400Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.430{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-65A1-6080-245D-00000000BA01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067399Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.429{761B69BB-65A1-6080-245D-00000000BA01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067398Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.101{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82798D6F11F46B2AF6FD7F0375288F42,SHA256=99310BDF28ABEF1D9BBF9B37B79555889EFE18AE513016CBBC2A89003B5815D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:22.768{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:22.768{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660DFACEC4240BD393FF5AF0C8B402E6,SHA256=CF2A7131B98D51D9902152B6B340EABCD4B7BF693F6622FFFF20A4FD62D40822falsefalse - insufficient disk space 10341000x80000000000000001067421Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067420Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067419Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.230{761B69BB-65A2-6080-255D-00000000BA01}63404716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067418Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.110{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1628844EA08B6C1AB05D601AFE11814,SHA256=445625ABE1D85C2EB62D454731BBC7897302FEE2739096C631950CF4E8DE30CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067417Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.089{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-65A2-6080-255D-00000000BA01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067416Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.087{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067415Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.087{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067414Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.087{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067413Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.087{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067412Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.086{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-65A2-6080-255D-00000000BA01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067411Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.086{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-65A2-6080-255D-00000000BA01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067410Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.086{761B69BB-65A2-6080-255D-00000000BA01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001546498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:23.770{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:23.770{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341C0397F645BBC800966BCB70F6C29C,SHA256=658ECF81A93DE4F80E5F6D526FD304CA73FF432ED2A8E227C6763A7801E71771falsefalse - insufficient disk space 10341000x80000000000000001067425Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:23.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067424Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:23.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067423Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:23.116{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B2593739726DBD984FDEBB2498EB52,SHA256=5B5DD1F07A9123FFB49771A8CABD2D547C9EE7C24D2AE1CCA8439B9E3BBB7733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067422Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:23.097{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB0282DFB2B9883E79D16588C29B1BF3,SHA256=DE4D828F91C12850925BEBD9D86F212AC90CB2322A2A3D547275450DFB053A25,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:24.791{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:24.791{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26CB7A7506584BF1EF014F164619FC2,SHA256=BB808F28FD1452C12E4D6C9EF6106D5D683ED248A8FBEF322313A687A69179B8falsefalse - insufficient disk space 10341000x80000000000000001067429Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:24.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067428Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:24.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067427Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:24.361{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=895EA943B9C5787BF58CF66D295615C9,SHA256=A5A8D46614A644E8D52335424FB75FCBED5979D269CEAA53470A80FCEDACA4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067426Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:24.122{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C50920ACEFCF280DFB5C8D25583D517,SHA256=F83B77BD2C9AF21ACC9ADF8B9639CFC792184CE9E42E6F7B3C3F0B0ADB90607A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:24.171{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:24.171{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A010FDDB1B04678C96B0282EB27D6A60,SHA256=67A51916365B405F4458353529FB796652B0DC312DB5D853A0BB4CA59326868Ffalsefalse - insufficient disk space 11241100x80000000000000001546550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.893{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.892{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75FAE0388484AA62C6BC2009EC76437A,SHA256=428F4369B1BF650033213F1363CFF1D83F7E9A421CB3F28768EBA58CC29700DCfalsefalse - insufficient disk space 10341000x80000000000000001067435Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:25.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067434Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:25.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067433Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.749{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local32508-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001067432Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.749{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local32508-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 23542300x80000000000000001067431Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:25.361{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88D5D7443C706A3CA7A084B10C126486,SHA256=F51F5F6A77FA4BCF4A6BEF90733117AD6CA222B1E4EC1DEA7EF167929B9266AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067430Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:25.151{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710FAF1F75BEF819B821EE2D27C7B0DB,SHA256=C4BC4C78DE97E14FBF1C9CE8572CE0E3DE3DE23E258BA0FB193B9095355E2AA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001546548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-83AE-607D-1E00-00000000BB01}1992C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-83AE-607D-1E00-00000000BB01}1992C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001546503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:22.723{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64996-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001067439Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:26.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067438Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:26.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067437Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.715{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32509-false10.0.1.12-8000- 23542300x80000000000000001067436Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:26.156{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F3AF2F9BADE85BB7AF5EABD33107B7,SHA256=0A7D81D339AEA30A16AC47B907CF842D423433F08BE316DAF6D18C89986E7ED9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067442Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:27.977{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067441Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:27.977{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067440Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:27.166{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBF89715B5BABBD686B449CA0BB4641,SHA256=AB932F29AC7ED48E80604F15968DA66BF87BB5D94CC07119ADE500BEDEF580D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.517{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.517{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD15A31ECD9447EF2A7F1BD5B6434BC,SHA256=1DA0C8153D62E9A30C140F653EFBA0DE5C0A1DEF329FA03C90183DDD889B02F0falsefalse - insufficient disk space 534500x80000000000000001546606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.163{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001546605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.163{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001546604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.163{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.163{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001546598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001546596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000001546565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001546564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000001546559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.016{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.017{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:27.016{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:27.016{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:27.016{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:27.016{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:27.016{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:27.016{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001067445Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:28.977{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067444Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:28.977{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067443Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:28.170{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F8F3208D59CECAB378344C69CD8DAE6,SHA256=473255CFBECBB48327523B2E004D1E67816E31D2E5E9AEE6F94F9A525B869039,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:28.281{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:28.281{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E626D1D4E32FB36428152B051D61C7,SHA256=03B63EEA2ACC0100B0853F126B2236C87E6447EE03ACEF3041C2FF1CE9EAF36Dfalsefalse - insufficient disk space 11241100x80000000000000001546610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:28.018{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:28.018{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2B57DA39B5187501172AA9FFABA1CDC,SHA256=46F6B18B9CF2EE83D021C1D66B3FA90F198CD07B8C372772D4D5359420030208falsefalse - insufficient disk space 10341000x80000000000000001067449Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:29.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067448Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:29.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067447Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:29.845{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067446Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:29.180{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A701A495E74ED40F2EC7DD7794F1E0DA,SHA256=4496DF51BCC582EDB6078E8230CF061D3FCF6B7B5D7B379F12A019C27EE8BB30,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.788{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64997-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:29.284{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:29.284{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857A7FA22860DC7E89776C6B7B41D3D9,SHA256=DC20A3249645DFB55CC1A015F0B5ED69E5466EAC640ADBC813882FDB7029EF74falsefalse - insufficient disk space 11241100x80000000000000001546614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:29.237{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:29.237{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=279FFAC2DD00CB14FE228B3B580D80DD,SHA256=520CDBFF06B414B86F938E8D736B5D2DE20770C2F7455912479D5E9FF4CA9E96falsefalse - insufficient disk space 11241100x80000000000000001546619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:30.455{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:30.455{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E39B6B1983D491232E07117293369E4,SHA256=3D693CFA65E2F26AA65632EF173981178AE89BBBBEE7825CF04C852B19FE6DB6falsefalse - insufficient disk space 10341000x80000000000000001067454Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:30.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067453Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:30.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067452Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:30.845{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4CCDD241922368766248C7268444BA2,SHA256=A89FE48D4EB5F811BC533053A51492C0B7466FCA18AD3AC197BD0B6B3CC4B2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067451Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:30.843{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D72205CB2D2759E5D825798FED3BE521,SHA256=173F789C4B1735A7F1AEBDFCF342A6483EA97814152A30CF92070B2A45F0117E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067450Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:30.186{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1E637033E4033A4CB326C8A18E3CE2,SHA256=4962E175439C26446C31CB76102AC1AC9EE863CF1AF43EB5B83D36501BB45DE6,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000001546683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.990{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:31.990{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.990{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:31.990{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.990{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:31.990{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001546677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.643{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.643{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBE832F77405D25111A599C553D65EC,SHA256=AC84A701467BE1F9A62BA857B8E0A1797CEF0E7B0A31E3FA0649528C4EBB6CBFfalsefalse - insufficient disk space 534500x80000000000000001546675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.458{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000001067459Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:31.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067458Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:31.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067457Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:26.849{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32511-false10.0.1.12-8000- 354300x80000000000000001067456Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:26.510{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32510-false10.0.1.12-8089- 23542300x80000000000000001067455Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:31.194{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD57C2A4A08F0138E1B5FB28DF0BB28B,SHA256=5CF651C9660A09E0956E278987E3E5E24C78B86DEC5E5F1A06835DEABC6B8BBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001546674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.442{21761711-65AB-6080-495E-00000000BB01}7161912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.442{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.442{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001546667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001546665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001546660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001546645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001546633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000001546628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.305{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.304{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:31.304{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.304{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:31.304{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.304{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:31.304{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000001546797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.830{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.814{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001546795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.814{21761711-65AC-6080-4B5E-00000000BB01}12362200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.814{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.814{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000001546792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.745{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.745{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0968A0ED911DCFB37F5D6170C7D199FE,SHA256=94E86E35B9C9D56073D244A36C11CBB89A7E4A89B2B476341952F2AC66897F55falsefalse - insufficient disk space 734700x80000000000000001546790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001546753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001546748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.676{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.676{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.677{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:32.676{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:32.676{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:32.676{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:32.676{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:32.676{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:32.676{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001067462Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:32.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067461Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:32.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067460Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:32.203{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF47051FFD298AE19F6F6F37CED90000,SHA256=5FCC7A6BEBF4FF085A87286D9AAD5249E29C615B1912B55EF012DA5EC974E28B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.310{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.310{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=672554036F09E0B56B6B877BD532AD78,SHA256=F498D4CB617E756BE8C8D317E1BD5C0BB7CA98C7BB7A4EC2C6F38C6E80F860C6falsefalse - insufficient disk space 534500x80000000000000001546737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.144{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001546736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.144{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001546735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.128{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.128{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001546729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001546727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001546722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000001546699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000001546697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001546696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000001546695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.009{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001546694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.009{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.009{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.009{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000001546691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.008{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.007{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.007{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.007{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.006{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000001546686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.006{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.990{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.991{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000001546912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.895{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.895{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.895{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001546908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001546906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000001546896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001546878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001546874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000001546869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.866{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.864{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:33.864{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.864{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:33.864{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.864{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:33.864{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001546860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.864{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.864{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882D5704CD7C3997EB286E8F04FDC5F5,SHA256=13B3E2BDB014A3991F4DC094FFD83A3BB40AAD112727F301C5F9452EE2DF00F9falsefalse - insufficient disk space 11241100x80000000000000001546858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.848{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.848{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6CDDA8AD830B1E78021EB18491BBA3,SHA256=80E918F7FB75013FB838DBB9CE462F1DF283A1020C720E5A5913D28CE752F390falsefalse - insufficient disk space 11241100x80000000000000001546856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.848{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.848{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBDF483BF06D9C7AF44FAEF65FC29CD4,SHA256=2B4B4052BE267B1B5135A3226B30A5B728F21E07395C4E8910DFB40C9271FAA7falsefalse - insufficient disk space 10341000x80000000000000001067465Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:33.979{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067464Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:33.979{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067463Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:33.221{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F583C3F0ADDB54D153CB6A34C1C654,SHA256=019D28EE3696AE807126FE331EB0433898274D5F913CD6679962B978DB378737,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001546854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.516{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001546853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.516{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001546852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.516{21761711-65AD-6080-4C5E-00000000BB01}75006636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.513{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.513{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.394{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001546845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001546843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001546812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001546811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000001546806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.363{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.363{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:33.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:33.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:33.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001546978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.998{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.998{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348817922FAFD581695BCC6BD768AB46,SHA256=BA0B228A4CBDA0142753E249654670E4DE5897B86B121A4A5F026042E40F0160falsefalse - insufficient disk space 11241100x80000000000000001546976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.982{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.982{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8AF7A816D135E9E81BC012D852C9CB4,SHA256=0DFEB65079329E856F4AE9EB33650E957C9DC23B25ACE4772D50466B5493F160falsefalse - insufficient disk space 11241100x80000000000000001546974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.982{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.982{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B782A9F6E77C7B7EE7FAD4F6E24884B,SHA256=E50D4E3820314DE73D2DAC14717086044EC3C940E38083585B72BC9A1CCD0986falsefalse - insufficient disk space 10341000x80000000000000001067468Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:34.980{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067467Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:34.980{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067466Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:34.240{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58AEBE6828EA6F55B566C3A9195EA31E,SHA256=8A3E52D10AF9F02F4BB1A1666DE451AA9ACAFE20E629D1CE9310F87BB027E85C,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001546972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.697{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.697{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001546970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.697{21761711-65AE-6080-4E5E-00000000BB01}50007464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.697{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.697{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.581{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001546930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001546925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.551{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:34.550{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:34.550{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:34.550{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:34.550{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:34.550{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:34.550{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000001546916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.017{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001546915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.017{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001546914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.017{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.017{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000001067471Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:35.981{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067470Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:35.981{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067469Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:35.243{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7695D075178F26E03F1EE572FCFD54E7,SHA256=42FD962669C6AAC15C39730ED5F68EEB7ACD287F8C56508A78D7B420E4F3A171,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.985{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.985{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F79008CF81DC121E6C53E189CC2C340,SHA256=D6BBE3DC0F5CB3020B7202C8FB5E5E61753D8CC14F8334C8DCFD2FEB01245961falsefalse - insufficient disk space 734700x80000000000000001548232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.953{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 12241200x80000000000000001548231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001548228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000001548205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 12241200x80000000000000001548204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001548203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000001548183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.953{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x80000000000000001548182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.953{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=D681E677EA3BF7C96E44E3E078B57157,SHA256=76578F80CE995467E1AC137F0B36A9E6AFAD67ED5C4CDD2126F409BF457E8A82trueMicrosoft WindowsValid 11241100x80000000000000001548181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.953{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 12241200x80000000000000001548180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 23542300x80000000000000001548179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.953{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89CFE8FED59F6BA8DF50CCEA982E53D,SHA256=696BFC826C982608A7E1E7F69373F7FD58117AD923766EB86A77133471EC6EFDfalsefalse - insufficient disk space 10341000x80000000000000001548178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a3c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+12d7c(wow64)|C:\Windows\System32\faultrep.dll+d63f(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x80000000000000001548167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 10341000x80000000000000001548166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+26bd3(wow64)|C:\Windows\System32\faultrep.dll+113c0(wow64)|C:\Windows\System32\faultrep.dll+d23a(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10497(wow64)|C:\Windows\System32\faultrep.dll+d186(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+d124(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 12241200x80000000000000001548163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.938{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000001548162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-83AE-607D-1600-00000000BB01}11086004C:\Windows\system32\svchost.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000001548160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.938{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001548159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000001548158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=CDD32AC585A458B6B2BC777FACF83BA4,SHA256=6A6D1362633319BA3E2D389A70827D0B5802C5EA9DD5CA723AEA6DBF65713426trueMicrosoft WindowsValid 734700x80000000000000001548157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000001548156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000001548155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 10341000x80000000000000001548154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 11241100x80000000000000001548152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\90d87c30-ea35-4b55-9a5d-4270c3ae17602021-04-21 17:49:35.938 734700x80000000000000001548151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\dbgcore.dll10.0.14321.1024 (debuggers(dbg).160715-1616)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=F9E3229224FEC57A53F5B2A4B21942E0,SHA256=C008454B1C65436C4289918CD64A83FDE655E2682977C68F3B866A3BB947E244trueMicrosoft WindowsValid 734700x80000000000000001548150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=529408E2C123D00D4CC2BEBCC8479566,SHA256=B8FE6F8E7B439EE4890F305AA008553CB68F6FEA7268262E6F1C3FD7F6FB90B8trueMicrosoft WindowsValid 734700x80000000000000001548149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\Faultrep.dll10.0.14393.4046 (rs1_release.201028-1803)Windows User Mode Crash Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfaultrep.dllMD5=DF986454FA35F76D1A1A896DD06E8A82,SHA256=F6AEAFE468D20799BECDA4D721940B317E88C2695A80D8497D816B8C241B700DtrueMicrosoft WindowsValid 734700x80000000000000001548148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\wer.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=8E413051DCEE704261ECCB513D0BE8E1,SHA256=0FFE33CB1FF0C347C8522965F2AAD467F92DA6F7FFAD3AA1DF824C5BC5AFDB30trueMicrosoft WindowsValid 734700x80000000000000001548147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=0D7153433B25ABA6DF86FBC7FA543CBF,SHA256=C8DF43428EC79BEB384B2B2561A3D8FF98040ABBC760C35F99E1FBE2D04170BFtrueMicrosoft WindowsValid 734700x80000000000000001548146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x80000000000000001548145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x80000000000000001548144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=FD246A07CED3BC52C91E4CE7F149B814,SHA256=643D290491BB7D0137CAD77B3DB612D69A6EC7AFE9C411D438C3CA1769F1EECCtrueMicrosoft WindowsValid 734700x80000000000000001548143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000001548142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=46729D62C2C59533BF7F18EC62EA1066,SHA256=F890DA6B91DCCEF82188724339EB4469B27AA19183938F4269C8DE3FEA6C12F0trueMicrosoft WindowsValid 734700x80000000000000001548141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000001548140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.2515 (rs1_release_1.180830-1044)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0A509BFB5A32121F89325D493794CA83,SHA256=CB89991C328399A0AD5A18C38DD69FA77922A7977D9F4E7193C59AC03AF614B2trueMicrosoft WindowsValid 734700x80000000000000001548139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=7B019DFD62509B244C4A11809F595C07,SHA256=2E879BBDC7C215041617FC599FCBA8C474F99E27B8333EA4DCA4854FE738F22DtrueMicrosoft WindowsValid 734700x80000000000000001548138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000001548137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000001548136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BE003247800053860D5C85D2BCEB0744,SHA256=D687D105741BDEB1BCEE18F3692AE688C52E85F1BBA745315FA2FB7F953DCE55trueMicrosoft WindowsValid 734700x80000000000000001548135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x80000000000000001548134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000001548133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 10341000x80000000000000001548132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-84C5-607D-E100-00000000BB01}32203160C:\Windows\system32\csrss.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000001548131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000001548130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000001548129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000001548128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001548127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001548126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000001548125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001548124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000001548123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.921{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000001548122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.921{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=57015A39A73789DC7171F4F6B211AC32,SHA256=3ED6D5A7095A141DCF234926EE0274FDA627C2829607DCE0F7604B7C683067E9trueMicrosoft WindowsValid 734700x80000000000000001548121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.921{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001548120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.921{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe10.0.14393.4046 (rs1_release.201028-1803)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeMD5=873FDC21DDF6CBD1D5396E15D9EEB070,SHA256=B18648B926F4F6F1721D033741E07D23148BB3EE435E579B34C2A2B4439476D0trueMicrosoft WindowsValid 10341000x80000000000000001548119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.920{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001548118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.919{21761711-65AF-6080-515E-00000000BB01}53563604C:\Windows\System32\svchost.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|c:\windows\system32\faultrep.dll+5b5b|c:\windows\system32\faultrep.dll+61c1|c:\windows\system32\wersvc.dll+ae9c|c:\windows\system32\wersvc.dll+7843|c:\windows\system32\wersvc.dll+4a1f|c:\windows\system32\wersvc.dll+4688|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001548117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.917{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe10.0.14393.4046 (rs1_release.201028-1803)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1520C:\Windows\system32\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=873FDC21DDF6CBD1D5396E15D9EEB070,SHA256=B18648B926F4F6F1721D033741E07D23148BB3EE435E579B34C2A2B4439476D0{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe 10341000x80000000000000001548116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.917{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.916{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001548114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.916{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001548113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FEtrueMicrosoft WindowsValid 11241100x80000000000000001548112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\ProgramData\Microsoft\Windows\WER\Temp\259f5272-c88b-4aca-96fc-92f1055a61552021-04-21 17:49:35.900 10341000x80000000000000001548111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}53563604C:\Windows\System32\svchost.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae19|c:\windows\system32\wersvc.dll+7843|c:\windows\system32\wersvc.dll+4a1f|c:\windows\system32\wersvc.dll+4688|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}53563604C:\Windows\System32\svchost.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ac09|c:\windows\system32\wersvc.dll+7843|c:\windows\system32\wersvc.dll+4a1f|c:\windows\system32\wersvc.dll+4688|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}53563604C:\Windows\System32\svchost.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+7a60|c:\windows\system32\wersvc.dll+76fc|c:\windows\system32\wersvc.dll+4a1f|c:\windows\system32\wersvc.dll+4688|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001548108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\ProgramData\Microsoft\Windows\WER\Temp\d51d36f2-3232-4e38-8fdb-02149404cf9f2021-04-21 17:49:35.900 734700x80000000000000001548107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178DtrueMicrosoft WindowsValid 734700x80000000000000001548106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000001548105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000001548104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x80000000000000001548103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\wer.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=D9715C34200FA21F6356CD5C56FE343C,SHA256=E7541EB9D78312F1F72D8D83A8BB2B26FF3F02F60129DCF7F6759EC7E183C84EtrueMicrosoft WindowsValid 734700x80000000000000001548102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001548101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001548100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000001548099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\Faultrep.dll10.0.14393.4046 (rs1_release.201028-1803)Windows User Mode Crash Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfaultrep.dllMD5=0702EE3664C421A0F2C56C6E8DE95B5B,SHA256=C7860A575ADDC1C85A8908C9FA4174095F86990BD6944420BE59C99E74D8A393trueMicrosoft WindowsValid 734700x80000000000000001548098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001548097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001548096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001548095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\weretw.dll10.0.14393.4169 (rs1_release.210107-1130)WERETW.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWERETW.DLLMD5=1325BA707320C3DC1024560DEA903AD9,SHA256=227376F2B461D7B2539F223E92CFBCBD5EA7DAE182BF277D7D0B2951CAC42B8AtrueMicrosoft WindowsValid 11241100x80000000000000001548094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DC80EEE3E504C61CA4A20AA3150AC2,SHA256=920180E93177389F85E08DED166E16F916DCEECD8A911B9469FE7A8852462C00falsefalse - insufficient disk space 734700x80000000000000001548092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 734700x80000000000000001548091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001548090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001548089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x80000000000000001548088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001548087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000001548086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001548085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\wersvc.dll10.0.14393.4048 (rs1_release_inmarket.201115-1326)Windows Error Reporting ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationwersvcMD5=1B4E315417F6409CDAE6FBE7ED23F9DC,SHA256=88EBAB9E66F8C166433C3F5BA30FFD7049D29301E1FEA099987BD1CE99F96D37trueMicrosoft WindowsValid 12241200x80000000000000001548084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000001548081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7trueMicrosoft Windows PublisherValid 12241200x80000000000000001548080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 10341000x80000000000000001548075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-83AD-607D-0A00-00000000BB01}6202564C:\Windows\system32\services.exe{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000001548074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000001548059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-83AE-607D-1400-00000000BB01}4801188C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001548058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001548057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001548056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001548055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001548054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000001548053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001548052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 10341000x80000000000000001548051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001548050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-83AD-607D-0A00-00000000BB01}6206136C:\Windows\system32\services.exe{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+17f9d|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001548049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.878{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7{21761711-83AD-607D-0A00-00000000BB01}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001548048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.869{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-83AD-607D-0A00-00000000BB01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.869{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.869{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.869{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-83AD-607D-0A00-00000000BB01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.869{21761711-65AF-6080-4F5E-00000000BB01}34523608C:\Windows\SysWOW64\dllhost.exe{21761711-65AF-6080-505E-00000000BB01}7608C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ef6c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ece62(wow64)|C:\Windows\System32\KERNEL32.DLL+66cbc(wow64)|C:\Windows\System32\KERNEL32.DLL+66a86(wow64)|C:\Windows\System32\KERNEL32.DLL+3e649(wow64)|C:\Windows\System32\KERNELBASE.dll+15e95a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+9d2fe(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x80000000000000001548043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.853{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\wininetlui.dll10.0.14393.447 (rs1_release_inmarket.161102-0100)Provides legacy UI for wininetMicrosoft® Windows® Operating SystemMicrosoft Corporationwininetlui.dllMD5=264529BBF1D0F2E468E21CE4BBE0FA77,SHA256=E63316A56AFCC5A24B2B999FCC5CD923394E24D525AEBC3C10B4A1DBBE25C88BtrueMicrosoft WindowsValid 734700x80000000000000001548042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.853{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.3541 (rs1_release_inmarket.200218-2047)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=8CFD633EE740B2693E96831A534E4577,SHA256=78CC7389CB132DE0B826A2C78F1F9A6170F6A5DBEEE997E6B83C206C79B17510trueMicrosoft WindowsValid 11241100x80000000000000001548041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.853{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.853{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2459F18820401580BE271590EE8F1924,SHA256=DF99D04A29C109B5C0259AD82ACB8987F69E01740E556066B7D657A9A6B15F53falsefalse - insufficient disk space 13241300x80000000000000001548039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001548038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001548037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001548036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 734700x80000000000000001548035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\gpapi.dll10.0.14393.3986 (rs1_release.201002-1707)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=A11EBF985384257D0E302247145A5F80,SHA256=8254D3505507F2942E0051B5B68098F4525B8B6DC560FABCDE77C4E59024B461trueMicrosoft WindowsValid 12241200x80000000000000001548034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs 12241200x80000000000000001548033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs 12241200x80000000000000001548032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates 12241200x80000000000000001548031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x80000000000000001548030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x80000000000000001548029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001548028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001548027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001548026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x80000000000000001548025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001548024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001548023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001548022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001548021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001548020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001548019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001548018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001548017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x80000000000000001548016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001548015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001548014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001548013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001548012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001548011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs 12241200x80000000000000001548010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs 12241200x80000000000000001548009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates 12241200x80000000000000001548008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x80000000000000001548007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x80000000000000001548006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001548005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001548004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001548003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001548002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001548001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001548000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001547999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001547998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001547997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001547996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001547995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001547994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001547993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001547992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001547991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001547990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001547989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001547988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x80000000000000001547987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000001547986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000001547985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x80000000000000001547984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x80000000000000001547983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000001547982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000001547981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x80000000000000001547980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs 12241200x80000000000000001547979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs 12241200x80000000000000001547978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates 12241200x80000000000000001547977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000001547976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000001547975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs 12241200x80000000000000001547974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs 12241200x80000000000000001547973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates 12241200x80000000000000001547972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x80000000000000001547971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs 12241200x80000000000000001547970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs 12241200x80000000000000001547969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates 12241200x80000000000000001547968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x80000000000000001547967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs 12241200x80000000000000001547966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs 12241200x80000000000000001547965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates 12241200x80000000000000001547964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x80000000000000001547963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x80000000000000001547962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs 12241200x80000000000000001547961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs 12241200x80000000000000001547960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates 12241200x80000000000000001547959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x80000000000000001547958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x80000000000000001547957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001547956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001547955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001547954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001547953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001547952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001547951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001547950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001547949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001547948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001547947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001547946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001547945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001547944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001547943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001547942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001547941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001547940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001547939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001547938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001547937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001547936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001547935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001547934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs 12241200x80000000000000001547933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs 12241200x80000000000000001547932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates 12241200x80000000000000001547931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000001547930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000001547929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001547928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001547927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001547926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x80000000000000001547925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001547924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001547923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001547922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001547921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001547920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001547919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001547918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001547917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x80000000000000001547916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001547915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001547914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001547913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001547912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001547911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001547910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=EFD0BE8FD1FF4E6D9A2112549F00C298,SHA256=FBC2001A38F051603972763B0CBAE114671C68A5FFB99AB013A0E1055C430AB6trueMicrosoft WindowsValid 734700x80000000000000001547909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x80000000000000001547908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=FD246A07CED3BC52C91E4CE7F149B814,SHA256=643D290491BB7D0137CAD77B3DB612D69A6EC7AFE9C411D438C3CA1769F1EECCtrueMicrosoft WindowsValid 734700x80000000000000001547907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x80000000000000001547906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x80000000000000001547905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x80000000000000001547904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=0D7153433B25ABA6DF86FBC7FA543CBF,SHA256=C8DF43428EC79BEB384B2B2561A3D8FF98040ABBC760C35F99E1FBE2D04170BFtrueMicrosoft WindowsValid 734700x80000000000000001547903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x80000000000000001547902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x80000000000000001547901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x80000000000000001547900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x80000000000000001547899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 13241300x80000000000000001547898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x80000000000000001547897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x80000000000000001547896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x80000000000000001547895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000001547894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x80000000000000001547893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000001547892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x80000000000000001547891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x80000000000000001547890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4225 (rs1_release.210127-1811)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=6A4EC7FCDF21570DCB1AAEA8BCE6C68B,SHA256=11DF4EEFA9F2EAB3440D073442C14884AA4145360F1ADB63B220431E5D01BB2CtrueMicrosoft WindowsValid 12241200x80000000000000001547889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.820{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 11241100x80000000000000001547888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.820{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 734700x80000000000000001547887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.819{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 23542300x80000000000000001547886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.819{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B3DECB87914082F9A77CE8F69B5341,SHA256=5DC825FCC2AC5C23EA02625D2309DFEBD1314BEDCBE93165A5C92E6F6529CF7Afalsefalse - insufficient disk space 10341000x80000000000000001547885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.819{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001547884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.819{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x80000000000000001547883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.819{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000001547882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.819{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x80000000000000001547881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.819{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x80000000000000001547880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.819{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x80000000000000001547879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.819{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000001547878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.818{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x80000000000000001547877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.818{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x80000000000000001547876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.817{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x80000000000000001547875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.817{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x80000000000000001547874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.817{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x80000000000000001547873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.816{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=5956013FD503AA525624271D79C23A41,SHA256=F678669E7BDEAA35648FD330F23627EA15B2D79D263610F46FB1B3881AEDBF74trueMicrosoft WindowsValid 734700x80000000000000001547872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.815{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x80000000000000001547871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x80000000000000001547870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x80000000000000001547869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000001547868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=4803B5E62FA1809BBED6F7E987942ACB,SHA256=D7D53A4FEB2016307A812A04964CEEC5E211A676A303B41EA16EAFD3AA7C3B72trueMicrosoft WindowsValid 734700x80000000000000001547867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000001547866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x80000000000000001547865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x80000000000000001547864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x80000000000000001547863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1112AB17E3ABDFF5F20CB2F465A2E117,SHA256=C47039A4DF6C685317C6539F205A46350DB055342704F1957D1FB0A1278AC076trueMicrosoft WindowsValid 734700x80000000000000001547862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000001547861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=CDD32AC585A458B6B2BC777FACF83BA4,SHA256=6A6D1362633319BA3E2D389A70827D0B5802C5EA9DD5CA723AEA6DBF65713426trueMicrosoft WindowsValid 734700x80000000000000001547860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000001547859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000001547858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 10341000x80000000000000001547857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001547856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001547855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000001547854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.2515 (rs1_release_1.180830-1044)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0A509BFB5A32121F89325D493794CA83,SHA256=CB89991C328399A0AD5A18C38DD69FA77922A7977D9F4E7193C59AC03AF614B2trueMicrosoft WindowsValid 734700x80000000000000001547853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=D72267FB5D321279DE909DB118CDEEFE,SHA256=D8386DCF2ACF3D48A2C95CCF6C3A9505E1CA99FF803027D76068596A34210FAEtrueMicrosoft WindowsValid 734700x80000000000000001547852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000001547851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4283 (rs1_release.210303-1802)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=253114E61AAAE4A12B73BAA54FBAAA62,SHA256=738E566E19705CA3190F448EDA108FAB2324C6A6E9DAAA12024777C9C5E6BF0EtrueMicrosoft WindowsValid 734700x80000000000000001547850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000001547849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=7B019DFD62509B244C4A11809F595C07,SHA256=2E879BBDC7C215041617FC599FCBA8C474F99E27B8333EA4DCA4854FE738F22DtrueMicrosoft WindowsValid 734700x80000000000000001547848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000001547847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000001547846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BE003247800053860D5C85D2BCEB0744,SHA256=D687D105741BDEB1BCEE18F3692AE688C52E85F1BBA745315FA2FB7F953DCE55trueMicrosoft WindowsValid 734700x80000000000000001547845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=46729D62C2C59533BF7F18EC62EA1066,SHA256=F890DA6B91DCCEF82188724339EB4469B27AA19183938F4269C8DE3FEA6C12F0trueMicrosoft WindowsValid 734700x80000000000000001547844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000001547843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000001547842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000001547841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000001547840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001547839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001547838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000001547837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001547836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000001547835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000001547834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=57015A39A73789DC7171F4F6B211AC32,SHA256=3ED6D5A7095A141DCF234926EE0274FDA627C2829607DCE0F7604B7C683067E9trueMicrosoft WindowsValid 734700x80000000000000001547833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001547832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8trueMicrosoft WindowsValid 824800x80000000000000001547831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe36080x0000000002B60000-- 11241100x80000000000000001547830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294797_WINWORD.EXE_3548_4412_1676.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294798_WINWORD.EXE_3548_4412_1675.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294798_WINWORD.EXE_3548_4412_1674.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294799_WINWORD.EXE_3548_4412_1673.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294799_WINWORD.EXE_3548_4412_1672.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294800_WINWORD.EXE_3548_4412_1671.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294800_WINWORD.EXE_3548_4412_1670.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294801_WINWORD.EXE_3548_4412_1669.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294801_WINWORD.EXE_3548_4412_1668.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294801_WINWORD.EXE_3548_4412_1667.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294802_WINWORD.EXE_3548_4412_1666.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294802_WINWORD.EXE_3548_4412_1665.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294803_WINWORD.EXE_3548_4412_1664.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294803_WINWORD.EXE_3548_4412_1663.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294804_WINWORD.EXE_3548_4412_1662.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294804_WINWORD.EXE_3548_4412_1661.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294804_WINWORD.EXE_3548_4412_1660.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294805_WINWORD.EXE_3548_4412_1659.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294805_WINWORD.EXE_3548_4412_1658.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294806_WINWORD.EXE_3548_4412_1657.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294806_WINWORD.EXE_3548_4412_1656.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294807_WINWORD.EXE_3548_4412_1655.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294807_WINWORD.EXE_3548_4412_1654.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294808_WINWORD.EXE_3548_4412_1653.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294808_WINWORD.EXE_3548_4412_1652.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294809_WINWORD.EXE_3548_4412_1651.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294809_WINWORD.EXE_3548_4412_1650.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294809_WINWORD.EXE_3548_4412_1649.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294810_WINWORD.EXE_3548_4412_1648.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294810_WINWORD.EXE_3548_4412_1647.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294811_WINWORD.EXE_3548_4412_1646.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294811_WINWORD.EXE_3548_4412_1645.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294812_WINWORD.EXE_3548_4412_1644.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294812_WINWORD.EXE_3548_4412_1643.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294813_WINWORD.EXE_3548_4412_1642.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294813_WINWORD.EXE_3548_4412_1641.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294813_WINWORD.EXE_3548_4412_1640.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294814_WINWORD.EXE_3548_4412_1639.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294814_WINWORD.EXE_3548_4412_1638.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294815_WINWORD.EXE_3548_4412_1637.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294815_WINWORD.EXE_3548_4412_1636.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294816_WINWORD.EXE_3548_4412_1635.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294816_WINWORD.EXE_3548_4412_1634.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294817_WINWORD.EXE_3548_4412_1633.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294817_WINWORD.EXE_3548_4412_1632.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294817_WINWORD.EXE_3548_4412_1631.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294818_WINWORD.EXE_3548_4412_1630.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294818_WINWORD.EXE_3548_4412_1629.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294819_WINWORD.EXE_3548_4412_1628.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294819_WINWORD.EXE_3548_4412_1627.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 11241100x80000000000000001547779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294820_WINWORD.EXE_3548_4412_1626.dmp2021-04-21 17:49:35.768 23542300x80000000000000001547778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9134AC71587070382E3B50C7A8F1486,SHA256=CCD5CF40217858B8B976DF17E40076A34D9AA41F4D90093D6F4543B98E448003falsefalse - insufficient disk space 11241100x80000000000000001547777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294821_WINWORD.EXE_3548_4412_1625.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294821_WINWORD.EXE_3548_4412_1624.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294822_WINWORD.EXE_3548_4412_1623.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294822_WINWORD.EXE_3548_4412_1622.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294823_WINWORD.EXE_3548_4412_1621.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294823_WINWORD.EXE_3548_4412_1620.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294824_WINWORD.EXE_3548_4412_1619.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294824_WINWORD.EXE_3548_4412_1618.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294825_WINWORD.EXE_3548_4412_1617.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294825_WINWORD.EXE_3548_4412_1616.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294826_WINWORD.EXE_3548_4412_1615.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294826_WINWORD.EXE_3548_4412_1614.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294827_WINWORD.EXE_3548_4412_1613.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294827_WINWORD.EXE_3548_4412_1612.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294827_WINWORD.EXE_3548_4412_1611.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294828_WINWORD.EXE_3548_4412_1610.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294828_WINWORD.EXE_3548_4412_1609.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294829_WINWORD.EXE_3548_4412_1608.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294829_WINWORD.EXE_3548_4412_1607.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294830_WINWORD.EXE_3548_4412_1606.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294830_WINWORD.EXE_3548_4412_1605.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294830_WINWORD.EXE_3548_4412_1604.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294831_WINWORD.EXE_3548_4412_1603.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294831_WINWORD.EXE_3548_4412_1602.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294832_WINWORD.EXE_3548_4412_1601.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294832_WINWORD.EXE_3548_4412_1600.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294833_WINWORD.EXE_3548_4412_1599.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294833_WINWORD.EXE_3548_4412_1598.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294834_WINWORD.EXE_3548_4412_1597.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294834_WINWORD.EXE_3548_4412_1596.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294835_WINWORD.EXE_3548_4412_1595.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294835_WINWORD.EXE_3548_4412_1594.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294835_WINWORD.EXE_3548_4412_1593.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294836_WINWORD.EXE_3548_4412_1592.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294836_WINWORD.EXE_3548_4412_1591.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294837_WINWORD.EXE_3548_4412_1590.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294837_WINWORD.EXE_3548_4412_1589.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294838_WINWORD.EXE_3548_4412_1588.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294838_WINWORD.EXE_3548_4412_1587.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294839_WINWORD.EXE_3548_4412_1586.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294839_WINWORD.EXE_3548_4412_1585.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294839_WINWORD.EXE_3548_4412_1584.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294840_WINWORD.EXE_3548_4412_1583.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294840_WINWORD.EXE_3548_4412_1582.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294841_WINWORD.EXE_3548_4412_1581.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294841_WINWORD.EXE_3548_4412_1580.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294842_WINWORD.EXE_3548_4412_1579.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294842_WINWORD.EXE_3548_4412_1578.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294842_WINWORD.EXE_3548_4412_1577.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294843_WINWORD.EXE_3548_4412_1576.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294843_WINWORD.EXE_3548_4412_1575.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294844_WINWORD.EXE_3548_4412_1574.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294844_WINWORD.EXE_3548_4412_1573.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294845_WINWORD.EXE_3548_4412_1572.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294845_WINWORD.EXE_3548_4412_1571.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294846_WINWORD.EXE_3548_4412_1570.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294846_WINWORD.EXE_3548_4412_1569.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294846_WINWORD.EXE_3548_4412_1568.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294847_WINWORD.EXE_3548_4412_1567.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294847_WINWORD.EXE_3548_4412_1566.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294848_WINWORD.EXE_3548_4412_1565.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294848_WINWORD.EXE_3548_4412_1564.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294849_WINWORD.EXE_3548_4412_1563.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294849_WINWORD.EXE_3548_4412_1562.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294850_WINWORD.EXE_3548_4412_1561.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294850_WINWORD.EXE_3548_4412_1560.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294851_WINWORD.EXE_3548_4412_1559.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294851_WINWORD.EXE_3548_4412_1558.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294851_WINWORD.EXE_3548_4412_1557.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294852_WINWORD.EXE_3548_4412_1556.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294852_WINWORD.EXE_3548_4412_1555.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294853_WINWORD.EXE_3548_4412_1554.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294853_WINWORD.EXE_3548_4412_1553.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294854_WINWORD.EXE_3548_4412_1552.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294854_WINWORD.EXE_3548_4412_1551.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294855_WINWORD.EXE_3548_4412_1550.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294855_WINWORD.EXE_3548_4412_1549.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294856_WINWORD.EXE_3548_4412_1548.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294856_WINWORD.EXE_3548_4412_1547.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294856_WINWORD.EXE_3548_4412_1546.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294857_WINWORD.EXE_3548_4412_1545.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294857_WINWORD.EXE_3548_4412_1544.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294858_WINWORD.EXE_3548_4412_1543.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294858_WINWORD.EXE_3548_4412_1542.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294859_WINWORD.EXE_3548_4412_1541.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294859_WINWORD.EXE_3548_4412_1540.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294860_WINWORD.EXE_3548_4412_1539.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294860_WINWORD.EXE_3548_4412_1538.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294861_WINWORD.EXE_3548_4412_1537.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294861_WINWORD.EXE_3548_4412_1536.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294862_WINWORD.EXE_3548_4412_1535.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294862_WINWORD.EXE_3548_4412_1534.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294863_WINWORD.EXE_3548_4412_1533.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 11241100x80000000000000001547683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294863_WINWORD.EXE_3548_4412_1532.dmp2021-04-21 17:49:35.721 23542300x80000000000000001547682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBFF8C9711C925AF5A1DEE1028107E7,SHA256=D435B101CD7F9014BC8B0A34C4C8050A137905C7320407C99DD33F51B5B90E4Bfalsefalse - insufficient disk space 11241100x80000000000000001547681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294864_WINWORD.EXE_3548_4412_1531.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294864_WINWORD.EXE_3548_4412_1530.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294865_WINWORD.EXE_3548_4412_1529.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294865_WINWORD.EXE_3548_4412_1528.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294866_WINWORD.EXE_3548_4412_1527.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294867_WINWORD.EXE_3548_4412_1526.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294867_WINWORD.EXE_3548_4412_1525.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294868_WINWORD.EXE_3548_4412_1524.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294868_WINWORD.EXE_3548_4412_1523.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294869_WINWORD.EXE_3548_4412_1522.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294869_WINWORD.EXE_3548_4412_1521.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294870_WINWORD.EXE_3548_4412_1520.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294870_WINWORD.EXE_3548_4412_1519.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294871_WINWORD.EXE_3548_4412_1518.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294871_WINWORD.EXE_3548_4412_1517.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294872_WINWORD.EXE_3548_4412_1516.dmp2021-04-21 17:49:35.720 11241100x80000000000000001547665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.720{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294872_WINWORD.EXE_3548_4412_1515.dmp2021-04-21 17:49:35.720 11241100x80000000000000001547664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.720{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294873_WINWORD.EXE_3548_4412_1514.dmp2021-04-21 17:49:35.719 11241100x80000000000000001547663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.719{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294873_WINWORD.EXE_3548_4412_1513.dmp2021-04-21 17:49:35.719 11241100x80000000000000001547662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.718{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294874_WINWORD.EXE_3548_4412_1512.dmp2021-04-21 17:49:35.718 11241100x80000000000000001547661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.718{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294875_WINWORD.EXE_3548_4412_1511.dmp2021-04-21 17:49:35.717 11241100x80000000000000001547660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.717{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294875_WINWORD.EXE_3548_4412_1510.dmp2021-04-21 17:49:35.717 11241100x80000000000000001547659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.716{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294876_WINWORD.EXE_3548_4412_1509.dmp2021-04-21 17:49:35.716 11241100x80000000000000001547658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.716{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294876_WINWORD.EXE_3548_4412_1508.dmp2021-04-21 17:49:35.716 11241100x80000000000000001547657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.715{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294877_WINWORD.EXE_3548_4412_1507.dmp2021-04-21 17:49:35.715 11241100x80000000000000001547656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294877_WINWORD.EXE_3548_4412_1506.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294878_WINWORD.EXE_3548_4412_1505.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294878_WINWORD.EXE_3548_4412_1504.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294879_WINWORD.EXE_3548_4412_1503.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294879_WINWORD.EXE_3548_4412_1502.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294880_WINWORD.EXE_3548_4412_1501.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294880_WINWORD.EXE_3548_4412_1500.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294880_WINWORD.EXE_3548_4412_1499.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294881_WINWORD.EXE_3548_4412_1498.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294881_WINWORD.EXE_3548_4412_1497.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294882_WINWORD.EXE_3548_4412_1496.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294882_WINWORD.EXE_3548_4412_1495.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294883_WINWORD.EXE_3548_4412_1494.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294883_WINWORD.EXE_3548_4412_1493.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294884_WINWORD.EXE_3548_4412_1492.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294884_WINWORD.EXE_3548_4412_1491.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294884_WINWORD.EXE_3548_4412_1490.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294885_WINWORD.EXE_3548_4412_1489.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294885_WINWORD.EXE_3548_4412_1488.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294886_WINWORD.EXE_3548_4412_1487.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294886_WINWORD.EXE_3548_4412_1486.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294887_WINWORD.EXE_3548_4412_1485.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294887_WINWORD.EXE_3548_4412_1484.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294890_WINWORD.EXE_3548_4412_1483.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294890_WINWORD.EXE_3548_4412_1482.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294891_WINWORD.EXE_3548_4412_1481.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294891_WINWORD.EXE_3548_4412_1480.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294892_WINWORD.EXE_3548_4412_1479.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294892_WINWORD.EXE_3548_4412_1478.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294893_WINWORD.EXE_3548_4412_1477.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294893_WINWORD.EXE_3548_4412_1476.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294894_WINWORD.EXE_3548_4412_1475.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294894_WINWORD.EXE_3548_4412_1474.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294894_WINWORD.EXE_3548_4412_1473.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294895_WINWORD.EXE_3548_4412_1472.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294895_WINWORD.EXE_3548_4412_1471.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294896_WINWORD.EXE_3548_4412_1470.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294896_WINWORD.EXE_3548_4412_1469.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294897_WINWORD.EXE_3548_4412_1468.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294897_WINWORD.EXE_3548_4412_1467.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294898_WINWORD.EXE_3548_4412_1466.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294898_WINWORD.EXE_3548_4412_1465.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294899_WINWORD.EXE_3548_4412_1464.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294899_WINWORD.EXE_3548_4412_1463.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294899_WINWORD.EXE_3548_4412_1462.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294900_WINWORD.EXE_3548_4412_1461.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294900_WINWORD.EXE_3548_4412_1460.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294901_WINWORD.EXE_3548_4412_1459.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294901_WINWORD.EXE_3548_4412_1458.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294902_WINWORD.EXE_3548_4412_1457.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294902_WINWORD.EXE_3548_4412_1456.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294903_WINWORD.EXE_3548_4412_1455.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294903_WINWORD.EXE_3548_4412_1454.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294903_WINWORD.EXE_3548_4412_1453.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294904_WINWORD.EXE_3548_4412_1452.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294904_WINWORD.EXE_3548_4412_1451.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294905_WINWORD.EXE_3548_4412_1450.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294905_WINWORD.EXE_3548_4412_1449.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294906_WINWORD.EXE_3548_4412_1448.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294906_WINWORD.EXE_3548_4412_1447.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294907_WINWORD.EXE_3548_4412_1446.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294907_WINWORD.EXE_3548_4412_1445.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294908_WINWORD.EXE_3548_4412_1444.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294908_WINWORD.EXE_3548_4412_1443.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294908_WINWORD.EXE_3548_4412_1442.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294909_WINWORD.EXE_3548_4412_1441.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294909_WINWORD.EXE_3548_4412_1440.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294910_WINWORD.EXE_3548_4412_1439.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294910_WINWORD.EXE_3548_4412_1438.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294911_WINWORD.EXE_3548_4412_1437.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294911_WINWORD.EXE_3548_4412_1436.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294911_WINWORD.EXE_3548_4412_1435.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294912_WINWORD.EXE_3548_4412_1434.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294912_WINWORD.EXE_3548_4412_1433.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294913_WINWORD.EXE_3548_4412_1432.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294913_WINWORD.EXE_3548_4412_1431.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294914_WINWORD.EXE_3548_4412_1430.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294914_WINWORD.EXE_3548_4412_1429.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294914_WINWORD.EXE_3548_4412_1428.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294915_WINWORD.EXE_3548_4412_1427.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294915_WINWORD.EXE_3548_4412_1426.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294916_WINWORD.EXE_3548_4412_1425.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294916_WINWORD.EXE_3548_4412_1424.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294917_WINWORD.EXE_3548_4412_1423.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294917_WINWORD.EXE_3548_4412_1422.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294918_WINWORD.EXE_3548_4412_1421.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294918_WINWORD.EXE_3548_4412_1420.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294919_WINWORD.EXE_3548_4412_1419.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294919_WINWORD.EXE_3548_4412_1418.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294920_WINWORD.EXE_3548_4412_1417.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294920_WINWORD.EXE_3548_4412_1416.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294921_WINWORD.EXE_3548_4412_1415.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294921_WINWORD.EXE_3548_4412_1414.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294921_WINWORD.EXE_3548_4412_1413.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294922_WINWORD.EXE_3548_4412_1412.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294922_WINWORD.EXE_3548_4412_1411.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294923_WINWORD.EXE_3548_4412_1410.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294923_WINWORD.EXE_3548_4412_1409.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294924_WINWORD.EXE_3548_4412_1408.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294924_WINWORD.EXE_3548_4412_1407.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294925_WINWORD.EXE_3548_4412_1406.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294925_WINWORD.EXE_3548_4412_1405.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294925_WINWORD.EXE_3548_4412_1404.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294926_WINWORD.EXE_3548_4412_1403.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294926_WINWORD.EXE_3548_4412_1402.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294927_WINWORD.EXE_3548_4412_1401.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294927_WINWORD.EXE_3548_4412_1400.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294928_WINWORD.EXE_3548_4412_1399.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294928_WINWORD.EXE_3548_4412_1398.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294928_WINWORD.EXE_3548_4412_1397.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294929_WINWORD.EXE_3548_4412_1396.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294929_WINWORD.EXE_3548_4412_1395.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294930_WINWORD.EXE_3548_4412_1394.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294930_WINWORD.EXE_3548_4412_1393.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294931_WINWORD.EXE_3548_4412_1392.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294931_WINWORD.EXE_3548_4412_1391.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294931_WINWORD.EXE_3548_4412_1390.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294932_WINWORD.EXE_3548_4412_1389.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294932_WINWORD.EXE_3548_4412_1388.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294933_WINWORD.EXE_3548_4412_1387.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294933_WINWORD.EXE_3548_4412_1386.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294934_WINWORD.EXE_3548_4412_1385.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294934_WINWORD.EXE_3548_4412_1384.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294935_WINWORD.EXE_3548_4412_1383.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294935_WINWORD.EXE_3548_4412_1382.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294935_WINWORD.EXE_3548_4412_1381.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294936_WINWORD.EXE_3548_4412_1380.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294936_WINWORD.EXE_3548_4412_1379.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294937_WINWORD.EXE_3548_4412_1378.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294937_WINWORD.EXE_3548_4412_1377.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294938_WINWORD.EXE_3548_4412_1376.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294938_WINWORD.EXE_3548_4412_1375.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294939_WINWORD.EXE_3548_4412_1374.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294939_WINWORD.EXE_3548_4412_1373.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294940_WINWORD.EXE_3548_4412_1372.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294940_WINWORD.EXE_3548_4412_1371.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294940_WINWORD.EXE_3548_4412_1370.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294941_WINWORD.EXE_3548_4412_1369.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294941_WINWORD.EXE_3548_4412_1368.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294942_WINWORD.EXE_3548_4412_1367.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294942_WINWORD.EXE_3548_4412_1366.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294943_WINWORD.EXE_3548_4412_1365.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294943_WINWORD.EXE_3548_4412_1364.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294943_WINWORD.EXE_3548_4412_1363.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294944_WINWORD.EXE_3548_4412_1362.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294944_WINWORD.EXE_3548_4412_1361.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294945_WINWORD.EXE_3548_4412_1360.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294945_WINWORD.EXE_3548_4412_1359.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294946_WINWORD.EXE_3548_4412_1358.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294946_WINWORD.EXE_3548_4412_1357.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294947_WINWORD.EXE_3548_4412_1356.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294947_WINWORD.EXE_3548_4412_1355.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294947_WINWORD.EXE_3548_4412_1354.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294948_WINWORD.EXE_3548_4412_1353.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294948_WINWORD.EXE_3548_4412_1352.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294949_WINWORD.EXE_3548_4412_1351.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294949_WINWORD.EXE_3548_4412_1350.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294950_WINWORD.EXE_3548_4412_1349.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294950_WINWORD.EXE_3548_4412_1348.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294951_WINWORD.EXE_3548_4412_1347.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294951_WINWORD.EXE_3548_4412_1346.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294951_WINWORD.EXE_3548_4412_1345.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294952_WINWORD.EXE_3548_4412_1344.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294952_WINWORD.EXE_3548_4412_1343.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294953_WINWORD.EXE_3548_4412_1342.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294953_WINWORD.EXE_3548_4412_1341.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294954_WINWORD.EXE_3548_4412_1340.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294954_WINWORD.EXE_3548_4412_1339.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294954_WINWORD.EXE_3548_4412_1338.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294955_WINWORD.EXE_3548_4412_1337.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294955_WINWORD.EXE_3548_4412_1336.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294956_WINWORD.EXE_3548_4412_1335.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294956_WINWORD.EXE_3548_4412_1334.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294957_WINWORD.EXE_3548_4412_1333.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294957_WINWORD.EXE_3548_4412_1332.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294957_WINWORD.EXE_3548_4412_1331.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294958_WINWORD.EXE_3548_4412_1330.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294958_WINWORD.EXE_3548_4412_1329.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294959_WINWORD.EXE_3548_4412_1328.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294959_WINWORD.EXE_3548_4412_1327.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294960_WINWORD.EXE_3548_4412_1326.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294960_WINWORD.EXE_3548_4412_1325.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294961_WINWORD.EXE_3548_4412_1324.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294961_WINWORD.EXE_3548_4412_1323.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294961_WINWORD.EXE_3548_4412_1322.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294962_WINWORD.EXE_3548_4412_1321.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294962_WINWORD.EXE_3548_4412_1320.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294963_WINWORD.EXE_3548_4412_1319.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294963_WINWORD.EXE_3548_4412_1318.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294964_WINWORD.EXE_3548_4412_1317.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294964_WINWORD.EXE_3548_4412_1316.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294964_WINWORD.EXE_3548_4412_1315.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294965_WINWORD.EXE_3548_4412_1314.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294965_WINWORD.EXE_3548_4412_1313.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294966_WINWORD.EXE_3548_4412_1312.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294966_WINWORD.EXE_3548_4412_1311.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294967_WINWORD.EXE_3548_4412_1310.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294967_WINWORD.EXE_3548_4412_1309.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294968_WINWORD.EXE_3548_4412_1308.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294968_WINWORD.EXE_3548_4412_1307.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294968_WINWORD.EXE_3548_4412_1306.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294969_WINWORD.EXE_3548_4412_1305.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294969_WINWORD.EXE_3548_4412_1304.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294970_WINWORD.EXE_3548_4412_1303.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294970_WINWORD.EXE_3548_4412_1302.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294971_WINWORD.EXE_3548_4412_1301.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294971_WINWORD.EXE_3548_4412_1300.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.620{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294972_WINWORD.EXE_3548_4412_1299.dmp2021-04-21 17:49:35.620 11241100x80000000000000001547448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.620{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294972_WINWORD.EXE_3548_4412_1298.dmp2021-04-21 17:49:35.620 11241100x80000000000000001547447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.619{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294973_WINWORD.EXE_3548_4412_1297.dmp2021-04-21 17:49:35.619 11241100x80000000000000001547446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.619{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294973_WINWORD.EXE_3548_4412_1296.dmp2021-04-21 17:49:35.618 11241100x80000000000000001547445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.619{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001547444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.618{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C29C13482E40F9F0D273BDA0EFBB18,SHA256=C5518020B773909FA244A65066382953C7C124472B0AF6063749BBC7B11DC413falsefalse - insufficient disk space 11241100x80000000000000001547443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.618{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294974_WINWORD.EXE_3548_4412_1295.dmp2021-04-21 17:49:35.618 11241100x80000000000000001547442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.617{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294975_WINWORD.EXE_3548_4412_1294.dmp2021-04-21 17:49:35.617 11241100x80000000000000001547441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.617{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294975_WINWORD.EXE_3548_4412_1293.dmp2021-04-21 17:49:35.617 11241100x80000000000000001547440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.616{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294976_WINWORD.EXE_3548_4412_1292.dmp2021-04-21 17:49:35.616 11241100x80000000000000001547439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.616{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294976_WINWORD.EXE_3548_4412_1291.dmp2021-04-21 17:49:35.615 11241100x80000000000000001547438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.615{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294977_WINWORD.EXE_3548_4412_1290.dmp2021-04-21 17:49:35.615 11241100x80000000000000001547437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.615{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294977_WINWORD.EXE_3548_4412_1289.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294978_WINWORD.EXE_3548_4412_1288.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294978_WINWORD.EXE_3548_4412_1287.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294979_WINWORD.EXE_3548_4412_1286.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294979_WINWORD.EXE_3548_4412_1285.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294980_WINWORD.EXE_3548_4412_1284.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294980_WINWORD.EXE_3548_4412_1283.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294980_WINWORD.EXE_3548_4412_1282.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294981_WINWORD.EXE_3548_4412_1281.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294981_WINWORD.EXE_3548_4412_1280.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294982_WINWORD.EXE_3548_4412_1279.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294982_WINWORD.EXE_3548_4412_1278.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294983_WINWORD.EXE_3548_4412_1277.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294983_WINWORD.EXE_3548_4412_1276.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294984_WINWORD.EXE_3548_4412_1275.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294984_WINWORD.EXE_3548_4412_1274.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294984_WINWORD.EXE_3548_4412_1273.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294985_WINWORD.EXE_3548_4412_1272.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294985_WINWORD.EXE_3548_4412_1271.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294986_WINWORD.EXE_3548_4412_1270.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294986_WINWORD.EXE_3548_4412_1269.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294987_WINWORD.EXE_3548_4412_1268.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294987_WINWORD.EXE_3548_4412_1267.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294987_WINWORD.EXE_3548_4412_1266.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294990_WINWORD.EXE_3548_4412_1265.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294991_WINWORD.EXE_3548_4412_1264.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294991_WINWORD.EXE_3548_4412_1263.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294992_WINWORD.EXE_3548_4412_1262.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294992_WINWORD.EXE_3548_4412_1261.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294993_WINWORD.EXE_3548_4412_1260.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294993_WINWORD.EXE_3548_4412_1259.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294994_WINWORD.EXE_3548_4412_1258.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294994_WINWORD.EXE_3548_4412_1257.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294995_WINWORD.EXE_3548_4412_1256.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294995_WINWORD.EXE_3548_4412_1255.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294995_WINWORD.EXE_3548_4412_1254.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294996_WINWORD.EXE_3548_4412_1253.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294996_WINWORD.EXE_3548_4412_1252.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294997_WINWORD.EXE_3548_4412_1251.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294997_WINWORD.EXE_3548_4412_1250.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294998_WINWORD.EXE_3548_4412_1249.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294998_WINWORD.EXE_3548_4412_1248.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294998_WINWORD.EXE_3548_4412_1247.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294999_WINWORD.EXE_3548_4412_1246.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294999_WINWORD.EXE_3548_4412_1245.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295000_WINWORD.EXE_3548_4412_1244.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295000_WINWORD.EXE_3548_4412_1243.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295001_WINWORD.EXE_3548_4412_1242.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295001_WINWORD.EXE_3548_4412_1241.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295002_WINWORD.EXE_3548_4412_1240.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295002_WINWORD.EXE_3548_4412_1239.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295002_WINWORD.EXE_3548_4412_1238.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295003_WINWORD.EXE_3548_4412_1237.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295003_WINWORD.EXE_3548_4412_1236.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295004_WINWORD.EXE_3548_4412_1235.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295004_WINWORD.EXE_3548_4412_1234.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295005_WINWORD.EXE_3548_4412_1233.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295005_WINWORD.EXE_3548_4412_1232.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295006_WINWORD.EXE_3548_4412_1231.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295006_WINWORD.EXE_3548_4412_1230.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295006_WINWORD.EXE_3548_4412_1229.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295007_WINWORD.EXE_3548_4412_1228.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295011_WINWORD.EXE_3548_4412_1227.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295011_WINWORD.EXE_3548_4412_1226.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295012_WINWORD.EXE_3548_4412_1225.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295012_WINWORD.EXE_3548_4412_1224.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295013_WINWORD.EXE_3548_4412_1223.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295013_WINWORD.EXE_3548_4412_1222.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295014_WINWORD.EXE_3548_4412_1221.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295014_WINWORD.EXE_3548_4412_1220.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295014_WINWORD.EXE_3548_4412_1219.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295015_WINWORD.EXE_3548_4412_1218.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295015_WINWORD.EXE_3548_4412_1217.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295016_WINWORD.EXE_3548_4412_1216.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295016_WINWORD.EXE_3548_4412_1215.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295017_WINWORD.EXE_3548_4412_1214.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295017_WINWORD.EXE_3548_4412_1213.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295018_WINWORD.EXE_3548_4412_1212.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295018_WINWORD.EXE_3548_4412_1211.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295018_WINWORD.EXE_3548_4412_1210.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295019_WINWORD.EXE_3548_4412_1209.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295019_WINWORD.EXE_3548_4412_1208.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295020_WINWORD.EXE_3548_4412_1207.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295020_WINWORD.EXE_3548_4412_1206.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295021_WINWORD.EXE_3548_4412_1205.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295021_WINWORD.EXE_3548_4412_1204.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295021_WINWORD.EXE_3548_4412_1203.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295022_WINWORD.EXE_3548_4412_1202.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295022_WINWORD.EXE_3548_4412_1201.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295023_WINWORD.EXE_3548_4412_1200.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295023_WINWORD.EXE_3548_4412_1199.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295024_WINWORD.EXE_3548_4412_1198.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295024_WINWORD.EXE_3548_4412_1197.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295025_WINWORD.EXE_3548_4412_1196.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295025_WINWORD.EXE_3548_4412_1195.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295025_WINWORD.EXE_3548_4412_1194.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295026_WINWORD.EXE_3548_4412_1193.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295026_WINWORD.EXE_3548_4412_1192.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295027_WINWORD.EXE_3548_4412_1191.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295027_WINWORD.EXE_3548_4412_1190.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295028_WINWORD.EXE_3548_4412_1189.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295028_WINWORD.EXE_3548_4412_1188.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295028_WINWORD.EXE_3548_4412_1187.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295029_WINWORD.EXE_3548_4412_1186.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295029_WINWORD.EXE_3548_4412_1185.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295030_WINWORD.EXE_3548_4412_1184.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295030_WINWORD.EXE_3548_4412_1183.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295031_WINWORD.EXE_3548_4412_1182.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295031_WINWORD.EXE_3548_4412_1181.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295031_WINWORD.EXE_3548_4412_1180.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295032_WINWORD.EXE_3548_4412_1179.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295032_WINWORD.EXE_3548_4412_1178.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295033_WINWORD.EXE_3548_4412_1177.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295033_WINWORD.EXE_3548_4412_1176.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295034_WINWORD.EXE_3548_4412_1175.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295034_WINWORD.EXE_3548_4412_1174.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295034_WINWORD.EXE_3548_4412_1173.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295035_WINWORD.EXE_3548_4412_1172.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295035_WINWORD.EXE_3548_4412_1171.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295036_WINWORD.EXE_3548_4412_1170.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295036_WINWORD.EXE_3548_4412_1169.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295037_WINWORD.EXE_3548_4412_1168.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295037_WINWORD.EXE_3548_4412_1167.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295038_WINWORD.EXE_3548_4412_1166.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295038_WINWORD.EXE_3548_4412_1165.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295038_WINWORD.EXE_3548_4412_1164.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295039_WINWORD.EXE_3548_4412_1163.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295039_WINWORD.EXE_3548_4412_1162.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295040_WINWORD.EXE_3548_4412_1161.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295040_WINWORD.EXE_3548_4412_1160.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295041_WINWORD.EXE_3548_4412_1159.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295041_WINWORD.EXE_3548_4412_1158.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295042_WINWORD.EXE_3548_4412_1157.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295042_WINWORD.EXE_3548_4412_1156.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295042_WINWORD.EXE_3548_4412_1155.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295043_WINWORD.EXE_3548_4412_1154.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295043_WINWORD.EXE_3548_4412_1153.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295044_WINWORD.EXE_3548_4412_1152.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295044_WINWORD.EXE_3548_4412_1151.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295045_WINWORD.EXE_3548_4412_1150.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295045_WINWORD.EXE_3548_4412_1149.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295045_WINWORD.EXE_3548_4412_1148.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295046_WINWORD.EXE_3548_4412_1147.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295046_WINWORD.EXE_3548_4412_1146.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295047_WINWORD.EXE_3548_4412_1145.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295047_WINWORD.EXE_3548_4412_1144.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295048_WINWORD.EXE_3548_4412_1143.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295048_WINWORD.EXE_3548_4412_1142.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295048_WINWORD.EXE_3548_4412_1141.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295049_WINWORD.EXE_3548_4412_1140.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295049_WINWORD.EXE_3548_4412_1139.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295050_WINWORD.EXE_3548_4412_1138.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295050_WINWORD.EXE_3548_4412_1137.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295051_WINWORD.EXE_3548_4412_1136.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295051_WINWORD.EXE_3548_4412_1135.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295051_WINWORD.EXE_3548_4412_1134.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295052_WINWORD.EXE_3548_4412_1133.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295052_WINWORD.EXE_3548_4412_1132.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295053_WINWORD.EXE_3548_4412_1131.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295053_WINWORD.EXE_3548_4412_1130.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295054_WINWORD.EXE_3548_4412_1129.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295054_WINWORD.EXE_3548_4412_1128.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295054_WINWORD.EXE_3548_4412_1127.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295055_WINWORD.EXE_3548_4412_1126.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295055_WINWORD.EXE_3548_4412_1125.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295056_WINWORD.EXE_3548_4412_1124.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295056_WINWORD.EXE_3548_4412_1123.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295057_WINWORD.EXE_3548_4412_1122.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295057_WINWORD.EXE_3548_4412_1121.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295058_WINWORD.EXE_3548_4412_1120.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295058_WINWORD.EXE_3548_4412_1119.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295058_WINWORD.EXE_3548_4412_1118.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295059_WINWORD.EXE_3548_4412_1117.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295059_WINWORD.EXE_3548_4412_1116.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295060_WINWORD.EXE_3548_4412_1115.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295060_WINWORD.EXE_3548_4412_1114.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295061_WINWORD.EXE_3548_4412_1113.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295061_WINWORD.EXE_3548_4412_1112.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295062_WINWORD.EXE_3548_4412_1111.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295062_WINWORD.EXE_3548_4412_1110.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295063_WINWORD.EXE_3548_4412_1109.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295063_WINWORD.EXE_3548_4412_1108.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295063_WINWORD.EXE_3548_4412_1107.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295064_WINWORD.EXE_3548_4412_1106.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295064_WINWORD.EXE_3548_4412_1105.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295065_WINWORD.EXE_3548_4412_1104.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295065_WINWORD.EXE_3548_4412_1103.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295066_WINWORD.EXE_3548_4412_1102.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295066_WINWORD.EXE_3548_4412_1101.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295066_WINWORD.EXE_3548_4412_1100.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295067_WINWORD.EXE_3548_4412_1099.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295067_WINWORD.EXE_3548_4412_1098.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295068_WINWORD.EXE_3548_4412_1097.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295068_WINWORD.EXE_3548_4412_1096.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295069_WINWORD.EXE_3548_4412_1095.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295069_WINWORD.EXE_3548_4412_1094.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295069_WINWORD.EXE_3548_4412_1093.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295070_WINWORD.EXE_3548_4412_1092.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295070_WINWORD.EXE_3548_4412_1091.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295071_WINWORD.EXE_3548_4412_1090.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295071_WINWORD.EXE_3548_4412_1089.dmp2021-04-21 17:49:35.520 11241100x80000000000000001547236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.520{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295072_WINWORD.EXE_3548_4412_1088.dmp2021-04-21 17:49:35.520 11241100x80000000000000001547235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.520{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295072_WINWORD.EXE_3548_4412_1087.dmp2021-04-21 17:49:35.519 11241100x80000000000000001547234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.519{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295073_WINWORD.EXE_3548_4412_1086.dmp2021-04-21 17:49:35.519 11241100x80000000000000001547233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.519{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295073_WINWORD.EXE_3548_4412_1085.dmp2021-04-21 17:49:35.519 11241100x80000000000000001547232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.519{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295074_WINWORD.EXE_3548_4412_1084.dmp2021-04-21 17:49:35.519 11241100x80000000000000001547231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.518{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295074_WINWORD.EXE_3548_4412_1083.dmp2021-04-21 17:49:35.518 11241100x80000000000000001547230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.518{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295074_WINWORD.EXE_3548_4412_1082.dmp2021-04-21 17:49:35.518 11241100x80000000000000001547229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.517{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295075_WINWORD.EXE_3548_4412_1081.dmp2021-04-21 17:49:35.517 11241100x80000000000000001547228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.517{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295075_WINWORD.EXE_3548_4412_1080.dmp2021-04-21 17:49:35.517 11241100x80000000000000001547227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.516{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295076_WINWORD.EXE_3548_4412_1079.dmp2021-04-21 17:49:35.516 11241100x80000000000000001547226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.516{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295076_WINWORD.EXE_3548_4412_1078.dmp2021-04-21 17:49:35.516 11241100x80000000000000001547225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.515{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295077_WINWORD.EXE_3548_4412_1077.dmp2021-04-21 17:49:35.515 11241100x80000000000000001547224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.515{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295077_WINWORD.EXE_3548_4412_1076.dmp2021-04-21 17:49:35.515 11241100x80000000000000001547223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.515{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295078_WINWORD.EXE_3548_4412_1075.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295078_WINWORD.EXE_3548_4412_1074.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295078_WINWORD.EXE_3548_4412_1073.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295079_WINWORD.EXE_3548_4412_1072.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295079_WINWORD.EXE_3548_4412_1071.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295080_WINWORD.EXE_3548_4412_1070.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295080_WINWORD.EXE_3548_4412_1069.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295081_WINWORD.EXE_3548_4412_1068.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295081_WINWORD.EXE_3548_4412_1067.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295082_WINWORD.EXE_3548_4412_1066.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295082_WINWORD.EXE_3548_4412_1065.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295082_WINWORD.EXE_3548_4412_1064.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295083_WINWORD.EXE_3548_4412_1063.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295083_WINWORD.EXE_3548_4412_1062.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295084_WINWORD.EXE_3548_4412_1061.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295084_WINWORD.EXE_3548_4412_1060.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295085_WINWORD.EXE_3548_4412_1059.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295085_WINWORD.EXE_3548_4412_1058.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295086_WINWORD.EXE_3548_4412_1057.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295086_WINWORD.EXE_3548_4412_1056.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295086_WINWORD.EXE_3548_4412_1055.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295087_WINWORD.EXE_3548_4412_1054.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295087_WINWORD.EXE_3548_4412_1053.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295088_WINWORD.EXE_3548_4412_1052.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295088_WINWORD.EXE_3548_4412_1051.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295089_WINWORD.EXE_3548_4412_1050.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295089_WINWORD.EXE_3548_4412_1049.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295089_WINWORD.EXE_3548_4412_1048.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295090_WINWORD.EXE_3548_4412_1047.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295090_WINWORD.EXE_3548_4412_1046.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295091_WINWORD.EXE_3548_4412_1045.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295091_WINWORD.EXE_3548_4412_1044.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295092_WINWORD.EXE_3548_4412_1043.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295092_WINWORD.EXE_3548_4412_1042.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295093_WINWORD.EXE_3548_4412_1041.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295093_WINWORD.EXE_3548_4412_1040.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295093_WINWORD.EXE_3548_4412_1039.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295094_WINWORD.EXE_3548_4412_1038.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295094_WINWORD.EXE_3548_4412_1037.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295095_WINWORD.EXE_3548_4412_1036.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295095_WINWORD.EXE_3548_4412_1035.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295096_WINWORD.EXE_3548_4412_1034.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295096_WINWORD.EXE_3548_4412_1033.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295097_WINWORD.EXE_3548_4412_1032.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295097_WINWORD.EXE_3548_4412_1031.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295097_WINWORD.EXE_3548_4412_1030.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295098_WINWORD.EXE_3548_4412_1029.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295098_WINWORD.EXE_3548_4412_1028.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295099_WINWORD.EXE_3548_4412_1027.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295099_WINWORD.EXE_3548_4412_1026.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295100_WINWORD.EXE_3548_4412_1025.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295100_WINWORD.EXE_3548_4412_1024.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295100_WINWORD.EXE_3548_4412_1023.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295101_WINWORD.EXE_3548_4412_1022.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295101_WINWORD.EXE_3548_4412_1021.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295102_WINWORD.EXE_3548_4412_1020.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295102_WINWORD.EXE_3548_4412_1019.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295103_WINWORD.EXE_3548_4412_1018.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295103_WINWORD.EXE_3548_4412_1017.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295104_WINWORD.EXE_3548_4412_1016.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295104_WINWORD.EXE_3548_4412_1015.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295104_WINWORD.EXE_3548_4412_1014.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295105_WINWORD.EXE_3548_4412_1013.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295105_WINWORD.EXE_3548_4412_1012.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295106_WINWORD.EXE_3548_4412_1011.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295106_WINWORD.EXE_3548_4412_1010.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295107_WINWORD.EXE_3548_4412_1009.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295107_WINWORD.EXE_3548_4412_1008.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295108_WINWORD.EXE_3548_4412_1007.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295108_WINWORD.EXE_3548_4412_1006.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295108_WINWORD.EXE_3548_4412_1005.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295109_WINWORD.EXE_3548_4412_1004.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295109_WINWORD.EXE_3548_4412_1003.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295110_WINWORD.EXE_3548_4412_1002.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295110_WINWORD.EXE_3548_4412_1001.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295111_WINWORD.EXE_3548_4412_1000.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295111_WINWORD.EXE_3548_4412_999.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295112_WINWORD.EXE_3548_4412_998.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295112_WINWORD.EXE_3548_4412_997.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295112_WINWORD.EXE_3548_4412_996.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295113_WINWORD.EXE_3548_4412_995.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295113_WINWORD.EXE_3548_4412_994.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295114_WINWORD.EXE_3548_4412_993.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295114_WINWORD.EXE_3548_4412_992.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295115_WINWORD.EXE_3548_4412_991.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295115_WINWORD.EXE_3548_4412_990.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295116_WINWORD.EXE_3548_4412_989.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295116_WINWORD.EXE_3548_4412_988.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295117_WINWORD.EXE_3548_4412_987.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295117_WINWORD.EXE_3548_4412_986.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295117_WINWORD.EXE_3548_4412_985.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295118_WINWORD.EXE_3548_4412_984.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295118_WINWORD.EXE_3548_4412_983.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295119_WINWORD.EXE_3548_4412_982.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295119_WINWORD.EXE_3548_4412_981.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295120_WINWORD.EXE_3548_4412_980.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295120_WINWORD.EXE_3548_4412_979.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295121_WINWORD.EXE_3548_4412_978.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295121_WINWORD.EXE_3548_4412_977.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295121_WINWORD.EXE_3548_4412_976.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295122_WINWORD.EXE_3548_4412_975.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295122_WINWORD.EXE_3548_4412_974.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295123_WINWORD.EXE_3548_4412_973.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295123_WINWORD.EXE_3548_4412_972.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295126_WINWORD.EXE_3548_4412_971.dmp2021-04-21 17:49:35.468 13241300x80000000000000001547118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.468{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080502\VirtualDesktopBinary Data 12241200x80000000000000001547117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.468{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080502 11241100x80000000000000001547116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295127_WINWORD.EXE_3548_4412_970.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295127_WINWORD.EXE_3548_4412_969.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295128_WINWORD.EXE_3548_4412_968.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295128_WINWORD.EXE_3548_4412_967.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295129_WINWORD.EXE_3548_4412_966.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295129_WINWORD.EXE_3548_4412_965.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295129_WINWORD.EXE_3548_4412_964.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295130_WINWORD.EXE_3548_4412_963.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295130_WINWORD.EXE_3548_4412_962.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295131_WINWORD.EXE_3548_4412_961.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295131_WINWORD.EXE_3548_4412_960.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295132_WINWORD.EXE_3548_4412_959.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295132_WINWORD.EXE_3548_4412_958.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295133_WINWORD.EXE_3548_4412_957.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295133_WINWORD.EXE_3548_4412_956.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295133_WINWORD.EXE_3548_4412_955.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295134_WINWORD.EXE_3548_4412_954.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295134_WINWORD.EXE_3548_4412_953.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295135_WINWORD.EXE_3548_4412_952.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295135_WINWORD.EXE_3548_4412_951.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295136_WINWORD.EXE_3548_4412_950.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295136_WINWORD.EXE_3548_4412_949.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295136_WINWORD.EXE_3548_4412_948.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295137_WINWORD.EXE_3548_4412_947.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295137_WINWORD.EXE_3548_4412_946.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295138_WINWORD.EXE_3548_4412_945.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295138_WINWORD.EXE_3548_4412_944.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295139_WINWORD.EXE_3548_4412_943.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295139_WINWORD.EXE_3548_4412_942.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295139_WINWORD.EXE_3548_4412_941.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295140_WINWORD.EXE_3548_4412_940.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295140_WINWORD.EXE_3548_4412_939.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295141_WINWORD.EXE_3548_4412_938.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295141_WINWORD.EXE_3548_4412_937.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295142_WINWORD.EXE_3548_4412_936.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295142_WINWORD.EXE_3548_4412_935.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295142_WINWORD.EXE_3548_4412_934.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295143_WINWORD.EXE_3548_4412_933.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295143_WINWORD.EXE_3548_4412_932.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295144_WINWORD.EXE_3548_4412_931.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295144_WINWORD.EXE_3548_4412_930.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295145_WINWORD.EXE_3548_4412_929.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295145_WINWORD.EXE_3548_4412_928.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295145_WINWORD.EXE_3548_4412_927.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295146_WINWORD.EXE_3548_4412_926.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295146_WINWORD.EXE_3548_4412_925.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295147_WINWORD.EXE_3548_4412_924.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295147_WINWORD.EXE_3548_4412_923.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295148_WINWORD.EXE_3548_4412_922.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295148_WINWORD.EXE_3548_4412_921.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295148_WINWORD.EXE_3548_4412_920.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295149_WINWORD.EXE_3548_4412_919.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295149_WINWORD.EXE_3548_4412_918.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295150_WINWORD.EXE_3548_4412_917.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295150_WINWORD.EXE_3548_4412_916.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295151_WINWORD.EXE_3548_4412_915.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295151_WINWORD.EXE_3548_4412_914.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295152_WINWORD.EXE_3548_4412_913.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295152_WINWORD.EXE_3548_4412_912.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295152_WINWORD.EXE_3548_4412_911.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295153_WINWORD.EXE_3548_4412_910.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295153_WINWORD.EXE_3548_4412_909.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295154_WINWORD.EXE_3548_4412_908.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295154_WINWORD.EXE_3548_4412_907.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295155_WINWORD.EXE_3548_4412_906.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295155_WINWORD.EXE_3548_4412_905.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295156_WINWORD.EXE_3548_4412_904.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295156_WINWORD.EXE_3548_4412_903.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295156_WINWORD.EXE_3548_4412_902.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295157_WINWORD.EXE_3548_4412_901.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295157_WINWORD.EXE_3548_4412_900.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295158_WINWORD.EXE_3548_4412_899.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295158_WINWORD.EXE_3548_4412_898.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295159_WINWORD.EXE_3548_4412_897.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295159_WINWORD.EXE_3548_4412_896.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295159_WINWORD.EXE_3548_4412_895.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295160_WINWORD.EXE_3548_4412_894.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295160_WINWORD.EXE_3548_4412_893.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295161_WINWORD.EXE_3548_4412_892.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295161_WINWORD.EXE_3548_4412_891.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295162_WINWORD.EXE_3548_4412_890.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295162_WINWORD.EXE_3548_4412_889.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295163_WINWORD.EXE_3548_4412_888.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295163_WINWORD.EXE_3548_4412_887.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295163_WINWORD.EXE_3548_4412_886.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295164_WINWORD.EXE_3548_4412_885.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295164_WINWORD.EXE_3548_4412_884.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295165_WINWORD.EXE_3548_4412_883.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295165_WINWORD.EXE_3548_4412_882.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295166_WINWORD.EXE_3548_4412_881.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295166_WINWORD.EXE_3548_4412_880.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295166_WINWORD.EXE_3548_4412_879.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295167_WINWORD.EXE_3548_4412_878.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295167_WINWORD.EXE_3548_4412_877.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295168_WINWORD.EXE_3548_4412_876.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295168_WINWORD.EXE_3548_4412_875.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295169_WINWORD.EXE_3548_4412_874.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295169_WINWORD.EXE_3548_4412_873.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295169_WINWORD.EXE_3548_4412_872.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295170_WINWORD.EXE_3548_4412_871.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295170_WINWORD.EXE_3548_4412_870.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295171_WINWORD.EXE_3548_4412_869.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295171_WINWORD.EXE_3548_4412_868.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.420{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295172_WINWORD.EXE_3548_4412_867.dmp2021-04-21 17:49:35.420 11241100x80000000000000001547012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.420{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295172_WINWORD.EXE_3548_4412_866.dmp2021-04-21 17:49:35.420 11241100x80000000000000001547011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.419{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295173_WINWORD.EXE_3548_4412_865.dmp2021-04-21 17:49:35.419 11241100x80000000000000001547010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.419{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295173_WINWORD.EXE_3548_4412_864.dmp2021-04-21 17:49:35.419 11241100x80000000000000001547009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.418{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295173_WINWORD.EXE_3548_4412_863.dmp2021-04-21 17:49:35.418 11241100x80000000000000001547008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.418{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295174_WINWORD.EXE_3548_4412_862.dmp2021-04-21 17:49:35.418 11241100x80000000000000001547007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.418{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295174_WINWORD.EXE_3548_4412_861.dmp2021-04-21 17:49:35.417 11241100x80000000000000001547006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.417{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295175_WINWORD.EXE_3548_4412_860.dmp2021-04-21 17:49:35.417 11241100x80000000000000001547005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.417{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295175_WINWORD.EXE_3548_4412_859.dmp2021-04-21 17:49:35.417 11241100x80000000000000001547004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.416{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295176_WINWORD.EXE_3548_4412_858.dmp2021-04-21 17:49:35.416 11241100x80000000000000001547003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.416{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295176_WINWORD.EXE_3548_4412_857.dmp2021-04-21 17:49:35.416 11241100x80000000000000001547002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.415{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295177_WINWORD.EXE_3548_4412_856.dmp2021-04-21 17:49:35.415 11241100x80000000000000001547001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.415{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295177_WINWORD.EXE_3548_4412_855.dmp2021-04-21 17:49:35.415 11241100x80000000000000001547000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.414{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295177_WINWORD.EXE_3548_4412_854.dmp2021-04-21 17:49:35.414 11241100x80000000000000001546999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295178_WINWORD.EXE_3548_4412_853.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295178_WINWORD.EXE_3548_4412_852.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295179_WINWORD.EXE_3548_4412_851.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295179_WINWORD.EXE_3548_4412_850.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295180_WINWORD.EXE_3548_4412_849.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295180_WINWORD.EXE_3548_4412_848.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295181_WINWORD.EXE_3548_4412_847.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295181_WINWORD.EXE_3548_4412_846.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295181_WINWORD.EXE_3548_4412_845.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295182_WINWORD.EXE_3548_4412_844.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295182_WINWORD.EXE_3548_4412_843.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295183_WINWORD.EXE_3548_4412_842.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295183_WINWORD.EXE_3548_4412_841.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295184_WINWORD.EXE_3548_4412_840.dmp2021-04-21 17:49:35.399 10341000x80000000000000001546985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-84C5-607D-E100-00000000BB01}32202520C:\Windows\system32\csrss.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}35484412C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3c98f|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d457|UNKNOWN(00000200BF36276A) 154100x80000000000000001546983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.407{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\dllhost.exeC:\Users\Administrator\Documents\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Administrator\Desktop\cs_doc1_rundll32.dotm" 11241100x80000000000000001546982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295186_WINWORD.EXE_3548_4412_839.dmp2021-04-21 17:49:35.399 13241300x80000000000000001546981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.399{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001546980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.399{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001546979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067474Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:36.981{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067473Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:36.981{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067472Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:36.251{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A17A0BA5FF9E96B4AA35BEAD269CC84,SHA256=17144A3D92FD10789C7253F55C60864082BAADE59F492168ED7C901066A50510,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.912{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227 23542300x80000000000000001548508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.912{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B4A17FCE3209D14A13760B7DE351319C,SHA256=40C3654F64FF51A99BA34DE9DF81C66514A9E255444C299650DC4835A87D02A1falsefalse - insufficient disk space 11241100x80000000000000001548507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.912{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227 23542300x80000000000000001548506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.912{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AD308801971211A6360D9ED31C7DC51E,SHA256=AA2F9203167BE2DBE507504DA15CB5B9695DC613D6B8523C27D05769C2FF7291falsefalse - insufficient disk space 11241100x80000000000000001548505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.411{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.411{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=120335E23CDAA89B3FF05958FC542371,SHA256=9C14CD0A0E9BB856819FAFC13AD49903D8C159DC33A1224E2D8FB2C63627268Ffalsefalse - insufficient disk space 11241100x80000000000000001548503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.342{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.342{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205840ADD0A7941FA2B7BA89AEE3F866,SHA256=2D25750E653E8D6D33F5D05357636D46A3D8ACFA10C57EA4F2830B0F27B45A95falsefalse - insufficient disk space 734700x80000000000000001548501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.342{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=7CAAFE27AECA4ED69CC960438C1B5757,SHA256=725B17A1DC08013337B50D4E0A6E332CC4C30F164383DF2ABBC735001C834F2CtrueMicrosoft WindowsValid 13241300x80000000000000001548500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.326{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastWriteTimeWordBinary Data 13241300x80000000000000001548499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.326{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastSyncTimeWordBinary Data 13241300x80000000000000001548498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 13241300x80000000000000001548496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 10341000x80000000000000001548495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000001548494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000001548493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001548488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090502\VirtualDesktopBinary Data 12241200x80000000000000001548487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090502 10341000x80000000000000001548486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001548485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.311{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeHKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles\FirstLevelConsentDialogQWORD (0x00000000-0x00090502) 12241200x80000000000000001548484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.311{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeHKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles 13241300x80000000000000001548483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.311{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles\FirstLevelConsentDialogQWORD (0x00000000-0x00090502) 12241200x80000000000000001548482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.311{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles 10341000x80000000000000001548481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001548477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.295{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\atlthunk.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)atlthunk.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationatlthunk.dllMD5=A0424A3330CB582D9B8713C8B739FBE8,SHA256=F6CD2DD95233A3B3374F99FF817F5E9628402B25333E3E79FB41C2686740D8D4trueMicrosoft WindowsValid 734700x80000000000000001548476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.295{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=6B79A24E4A03FB84ED7AD3CDEE60882E,SHA256=21FDC6DA3E5F2D55238D1801725353A879D5D909456C03DBBD3A7401DDAC464AtrueMicrosoft WindowsValid 734700x80000000000000001548475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.295{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x80000000000000001548474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.295{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\msls31.dll3.10.349.0Microsoft Line Services library fileMicrosoft® Line ServicesMicrosoft CorporationMSLS31.DLLMD5=B2911DEDDF06CA1AB66C810EB98AA503,SHA256=B8FAC47D96B3577104AA20C84E532024E4B8D7A7B222E715E7FBC368151E34D3trueMicrosoft WindowsValid 734700x80000000000000001548473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.295{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\usp10.dll10.0.14393.3321 (rs1_release.191016-1811)Uniscribe Unicode script processorMicrosoft® Windows® Operating SystemMicrosoft CorporationUSP10.DLLMD5=BABC9A4B603F1B79B3184EF2E902EFBD,SHA256=119158E0116F78286FFA4AEE4924B53E98821AA48687132C26DE22D75ECBF200trueMicrosoft WindowsValid 734700x80000000000000001548472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.295{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\riched20.dll5.31.23.1231Rich Text Edit Control, v3.1Microsoft RichEdit Control, version 3.1Microsoft Corporationriched20.dllMD5=8B3765D5135A105F4AD1B2582717B493,SHA256=6F0F9BF748660D218D21183A0B25D93BF5B659EF88B4F47E009480B3A244661FtrueMicrosoft WindowsValid 734700x80000000000000001548471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\duser.dll10.0.14393.0 (rs1_release.160715-1616)Windows DirectUser EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUser.DLLMD5=4A6B9E1DD8DB4FF865318B8CA92CE8D1,SHA256=14C94E22015FEA86566876469B1ECB034BE9991D55CE2C20AB8EF86A1FB1A78CtrueMicrosoft WindowsValid 734700x80000000000000001548470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=F715551044759B3E0D8310D982728D42,SHA256=24ED40B61F6EBA76BDFC858B0EB3FC49C8FEE9CF929CBD1DED3DB515A69FAAD4trueMicrosoft WindowsValid 10341000x80000000000000001548469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001548468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=4A773F12C91C86BEC51979E7C5858548,SHA256=FD21C32FE46607F058240D3B185CAA8E437F76625FEAD979B705E7BA3B53ED31trueMicrosoft WindowsValid 734700x80000000000000001548467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=F715551044759B3E0D8310D982728D42,SHA256=24ED40B61F6EBA76BDFC858B0EB3FC49C8FEE9CF929CBD1DED3DB515A69FAAD4trueMicrosoft WindowsValid 11241100x80000000000000001548466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D072BCFF3BEB50DA63B0B963757F5EF,SHA256=24A314FA067AAFA5E192D2D4586AE66F801A983C01901B17F63A1D0D35A2AE94falsefalse - insufficient disk space 10341000x80000000000000001548464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001548463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=4A773F12C91C86BEC51979E7C5858548,SHA256=FD21C32FE46607F058240D3B185CAA8E437F76625FEAD979B705E7BA3B53ED31trueMicrosoft WindowsValid 734700x80000000000000001548462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.264{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=F715551044759B3E0D8310D982728D42,SHA256=24ED40B61F6EBA76BDFC858B0EB3FC49C8FEE9CF929CBD1DED3DB515A69FAAD4trueMicrosoft WindowsValid 10341000x80000000000000001548461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.264{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001548460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.264{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=4A773F12C91C86BEC51979E7C5858548,SHA256=FD21C32FE46607F058240D3B185CAA8E437F76625FEAD979B705E7BA3B53ED31trueMicrosoft WindowsValid 734700x80000000000000001548459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.264{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=F715551044759B3E0D8310D982728D42,SHA256=24ED40B61F6EBA76BDFC858B0EB3FC49C8FEE9CF929CBD1DED3DB515A69FAAD4trueMicrosoft WindowsValid 12241200x80000000000000001548458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000001548457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.264{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 12241200x80000000000000001548456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001548454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000001548434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.264{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001548433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.264{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=4A773F12C91C86BEC51979E7C5858548,SHA256=FD21C32FE46607F058240D3B185CAA8E437F76625FEAD979B705E7BA3B53ED31trueMicrosoft WindowsValid 12241200x80000000000000001548432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000001548429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.198{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 12241200x80000000000000001548428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001548427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.263{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001548403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000001548400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.198{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=12ED40D048D0F5F44D3877936A1B7E8B,SHA256=8E652B0663D0F0C6BFE7102329C9A84FB1E937273E51F8FF0FC3469350AF5C41trueMicrosoft WindowsValid 12241200x80000000000000001548399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000001548396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.262{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 12241200x80000000000000001548395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.258{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.258{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001548375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000001548367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.257{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\dui70.dll10.0.14393.4169 (rs1_release.210107-1130)Windows DirectUI EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUI70.DLLMD5=E106B5F926250103ED5FCECAAF5F2B50,SHA256=B94CEDC430D22B2BA88BB1520EDF9362850494896F810DB0AC9E552E9BF8C031trueMicrosoft WindowsValid 734700x80000000000000001548366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.194{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=6B79A24E4A03FB84ED7AD3CDEE60882E,SHA256=21FDC6DA3E5F2D55238D1801725353A879D5D909456C03DBBD3A7401DDAC464AtrueMicrosoft WindowsValid 12241200x80000000000000001548365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.256{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.256{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.256{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.256{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000001548351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.125{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 12241200x80000000000000001548350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001548348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.248{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000001548324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.122{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=1A1F35AD47F8EB4BB2203E875C20EDFE,SHA256=21F3B5877315EC221A1F23EA4863A4E987DBFF63D6FCC97C8D59801356413A4BtrueMicrosoft WindowsValid 12241200x80000000000000001548323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000001548303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.244{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\werui.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Error Reporting UI DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwerui.dllMD5=648905E84F3DF8C6A686BD73548ACDDD,SHA256=470A40456CB2D930B319B9FD938288A66A4CDA66C1DF170F393674CFD0D7660AtrueMicrosoft WindowsValid 10341000x80000000000000001548302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.236{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a3c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\wer.dll+3ef62(wow64)|C:\Windows\System32\wer.dll+3f333(wow64)|C:\Windows\System32\wer.dll+3fb69(wow64)|C:\Windows\System32\wer.dll+202eb(wow64)|C:\Windows\System32\wer.dll+14541(wow64)|C:\Windows\System32\faultrep.dll+fb1c(wow64)|C:\Windows\System32\faultrep.dll+d74c(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 11241100x80000000000000001548301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.236{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\b79a5987-20ab-45b7-8412-ec3e13d502bc2021-04-21 17:49:36.235 11241100x80000000000000001548300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.235{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\bcab31a1-78ae-412a-8c99-ac46a1eb1a742021-04-21 17:49:36.234 11241100x80000000000000001548299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.233{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\20eed146-ae94-4256-8367-bef42b13ee1c2021-04-21 17:49:36.233 10341000x80000000000000001548298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.231{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\wer.dll+32eab(wow64)|C:\Windows\System32\wer.dll+24751(wow64)|C:\Windows\System32\wer.dll+145e9(wow64)|C:\Windows\System32\faultrep.dll+fa00(wow64)|C:\Windows\System32\faultrep.dll+d74c(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x80000000000000001548297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.220{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33fe2f(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33d738(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee5e9(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee664(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee6ed(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+28c8c5(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+29305d(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1e12f4(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+28c4f9(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cb18d(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cb022(wow64) 10341000x80000000000000001548296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.201{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+3404d2(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33c892(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+232f54(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+233565(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+239e56(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cf2f2(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cd856(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cf434(wow64)|C:\Windows\System32\faultrep.dll+14a65(wow64)|C:\Windows\System32\faultrep.dll+e3db(wow64)|C:\Windows\System32\faultrep.dll+f895(wow64)|C:\Windows\System32\faultrep.dll+d74c(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64) 734700x80000000000000001548295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.196{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\DbgModel.dll10.0.14321.1024 (debuggers(dbg).160906-1818)Windows Debugger Data ModelMicrosoft® Windows® Operating SystemMicrosoftDbgModel.DllMD5=55AAAA3C2A11EE0F48BFB10D222C4A7F,SHA256=E756925EC8A21F951325CA6B5F10BC393FEA8217282B11CA9529A953CCEE89A7trueMicrosoft WindowsValid 734700x80000000000000001548294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.192{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\dbgeng.dll10.0.14321.1024 (rs1_release.190305-1856)Windows Symbolic Debugger EngineMicrosoft® Windows® Operating SystemMicrosoftDbgEng.DllMD5=E7B73634B272631F75020C9ECAEEB72F,SHA256=AB151D6AD97FCCD36C5326BAD72DCC2AD42449D5AFDE598AA9C1159C138B9744trueMicrosoft WindowsValid 354300x80000000000000001548293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.603{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64998-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001548292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.176{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000001548291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.176{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=83B554800A149999EB4D1C21EA6EC209,SHA256=9CFEACBD8953CEE4EB73589A4FFA926EBF5EEE7CAEA4CE57FD864B4D5EF77744falsefalse - insufficient disk space 11241100x80000000000000001548290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.175{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 12241200x80000000000000001548289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:49:36.152{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\PermissionsCheckTestKey 12241200x80000000000000001548288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.152{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x80000000000000001548287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.152{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 12241200x80000000000000001548286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.152{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile 12241200x80000000000000001548285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.152{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root 13241300x80000000000000001548284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.152{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecordBinary Data 12241200x80000000000000001548283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.152{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug 23542300x80000000000000001548282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.150{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=25B921581CFF75221D254B1118EB46FE,SHA256=6FFFCCA0FE6296077D742F20DA06A10B43FD50B04AAAFD29629C5C442CBD3E2Efalsefalse - insufficient disk space 10341000x80000000000000001548281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.148{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+26bd3(wow64)|C:\Windows\System32\faultrep.dll+19d06(wow64)|C:\Windows\System32\faultrep.dll+19eb5(wow64)|C:\Windows\System32\faultrep.dll+194bb(wow64)|C:\Windows\System32\faultrep.dll+f4b1(wow64)|C:\Windows\System32\faultrep.dll+d74c(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 13241300x80000000000000001548280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.147{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\UsnQWORD (0x00000000-0x00000000) 13241300x80000000000000001548279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.147{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\IsOsComponentDWORD (0x00000001) 13241300x80000000000000001548278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.147{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\LanguageDWORD (0x00000409) 13241300x80000000000000001548277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.147{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\SizeQWORD (0x00000000-0x00004d60) 13241300x80000000000000001548276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\AppxPackageRelativeId(Empty) 13241300x80000000000000001548275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\AppxPackageFullName(Empty) 13241300x80000000000000001548274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\BinProductVersion10.0.14393.0 13241300x80000000000000001548273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\LinkDate07/16/2016 01:44:26 13241300x80000000000000001548272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\ProductVersion10.0.14393.0 13241300x80000000000000001548271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\ProductNamemicrosoft® windows® operating system 13241300x80000000000000001548270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\BinaryTypepe32_i386 13241300x80000000000000001548269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\BinFileVersion10.0.14393.0 13241300x80000000000000001548268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\Version10.0.14393.0 (rs1_release.160715-1616) 13241300x80000000000000001548267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\Publishermicrosoft corporation 13241300x80000000000000001548266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\OriginalFileNamedllhost.exe 13241300x80000000000000001548265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\Namedllhost.exe 13241300x80000000000000001548264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\LongPathHashdllhost.exe|79ab8ee61fde52a4 13241300x80000000000000001548263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\LowerCaseLongPathc:\windows\syswow64\dllhost.exe 13241300x80000000000000001548262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\FileId0000a39ce2eabf6c9493effd3fec1226061cb1b086e6 13241300x80000000000000001548261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\ProgramId0000f519feec486de87ed73cb92d3cac802400000000 12241200x80000000000000001548260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4 924900x80000000000000001548259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\Device\Harddisk0\DR0 924900x80000000000000001548258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\Device\HarddiskVolume1 734700x80000000000000001548257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.145{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=EFD0BE8FD1FF4E6D9A2112549F00C298,SHA256=FBC2001A38F051603972763B0CBAE114671C68A5FFB99AB013A0E1055C430AB6trueMicrosoft WindowsValid 734700x80000000000000001548256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.143{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=94C93F32B21EB2DA6AFF2C264B17E623,SHA256=4ABE629C6A2A44F35F205709FB004837871D6CD4F3C21F2F77432B2F98DAFC77trueMicrosoft WindowsValid 734700x80000000000000001548255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.143{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=0F1E9D98CC524190E9B045908E6BC1F6,SHA256=252B3BA71F9452011FA60B6C7655DE65C93EE02754F6B7AF08CBBAAE844CDEEBtrueMicrosoft WindowsValid 12241200x80000000000000001548254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\PermissionsCheckTestKey 12241200x80000000000000001548253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x80000000000000001548252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 12241200x80000000000000001548251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile 12241200x80000000000000001548250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root 12241200x80000000000000001548249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\PermissionsCheckTestKey 12241200x80000000000000001548248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x80000000000000001548247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 734700x80000000000000001548246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.141{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 12241200x80000000000000001548245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.140{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile 12241200x80000000000000001548244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.139{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root 734700x80000000000000001548243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.128{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=D72267FB5D321279DE909DB118CDEEFE,SHA256=D8386DCF2ACF3D48A2C95CCF6C3A9505E1CA99FF803027D76068596A34210FAEtrueMicrosoft WindowsValid 734700x80000000000000001548242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.126{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000001548241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.126{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=4803B5E62FA1809BBED6F7E987942ACB,SHA256=D7D53A4FEB2016307A812A04964CEEC5E211A676A303B41EA16EAFD3AA7C3B72trueMicrosoft WindowsValid 734700x80000000000000001548240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.126{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000001548239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.125{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x80000000000000001548238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.125{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1112AB17E3ABDFF5F20CB2F465A2E117,SHA256=C47039A4DF6C685317C6539F205A46350DB055342704F1957D1FB0A1278AC076trueMicrosoft WindowsValid 12241200x80000000000000001548237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.123{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000001548236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.000{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.000{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF6A034286D1F1298B726A1B12DCD786,SHA256=54D77D7EA6DE5B27363D27CB116C30F28C9CF35047603AD6C220984222743322falsefalse - insufficient disk space 10341000x80000000000000001067480Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:37.981{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067479Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:37.981{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067478Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:32.727{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32512-false10.0.1.12-8000- 23542300x80000000000000001067477Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:37.256{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC370295F2D4C221DBE53687584E991,SHA256=D86F0B05AE1A826CD21B49F9585B1AF27D294CE4CAA2C375F2114D5DD4728D3C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001548571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:37.930{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090502\VirtualDesktopBinary Data 12241200x80000000000000001548570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.930{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090502 13241300x80000000000000001548569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:37.883{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001548568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.883{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000001548567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000001548566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe 534500x80000000000000001548565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe 10341000x80000000000000001548564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 12241200x80000000000000001548554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:49:37.883{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090502 10341000x80000000000000001548553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.868{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.868{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001548551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:37.166{21761711-83AE-607D-1000-00000000BB01}960\ProtectedPrefix\LocalService\FTHPIPEC:\Windows\system32\svchost.exe 12241200x80000000000000001548550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 13241300x80000000000000001548547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:37.166{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\FTH\CheckPointTimeDWORD (0x0d2d152d) 734700x80000000000000001548546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.165{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\System32\svchost.exeC:\Windows\System32\fthsvc.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Windows Fault Tolerant Heap Diagnostic ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporationfthsvc.dllMD5=899E60FF3E315B4F05F591551A134835,SHA256=5F26E8E42740C9D72F71752F66D660FB3F0D52D532BAFE85310B51D377BA6081trueMicrosoft WindowsValid 12241200x80000000000000001548545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000001548525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.166{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\System32\svchost.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValid 12241200x80000000000000001548524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001548522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.166{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\System32\svchost.exeC:\Windows\System32\wer.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=D9715C34200FA21F6356CD5C56FE343C,SHA256=E7541EB9D78312F1F72D8D83A8BB2B26FF3F02F60129DCF7F6759EC7E183C84EtrueMicrosoft WindowsValid 734700x80000000000000001548521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.166{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\System32\svchost.exeC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1trueMicrosoft WindowsValid 12241200x80000000000000001548520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001548519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.164{21761711-83AE-607D-1200-00000000BB01}304C:\Windows\System32\svchost.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x80000000000000001548518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.163{21761711-83AE-607D-1200-00000000BB01}304C:\Windows\System32\svchost.exeC:\Windows\System32\pcacli.dll10.0.14393.0 (rs1_release.160715-1616)Program Compatibility Assistant Client ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=012B8825E588F74439D55115ED1FE5AD,SHA256=D646D30D2538E47FEFB9C1D5B323476B2701822FF6BCC91155C40BAA6710975EtrueMicrosoft WindowsValid 734700x80000000000000001548517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.163{21761711-83AE-607D-1200-00000000BB01}304C:\Windows\System32\svchost.exeC:\Windows\System32\pcadm.dll10.0.14393.4350 (rs1_release.210407-2154)Program Compatibility Assistant Diagnostic ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=938A788B0BA2B57AFA75F56346138A37,SHA256=8C2E8E8D2C81DCC2FB08779A413436634809791FF1CF867838996664B7899541trueMicrosoft WindowsValid 734700x80000000000000001548516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.161{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\System32\svchost.exeC:\Windows\System32\wdi.dll10.0.14393.0 (rs1_release.160715-1616)Windows Diagnostic InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationwdi.dllMD5=E7A7E8803E66B7CCED95D327A4DBC135,SHA256=401ECD953D4014A95C9022822D9ACEC1A68C917281DBA2365503A473FC6D9507trueMicrosoft WindowsValid 734700x80000000000000001548515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.161{21761711-83AE-607D-1200-00000000BB01}304C:\Windows\System32\svchost.exeC:\Windows\System32\wdi.dll10.0.14393.0 (rs1_release.160715-1616)Windows Diagnostic InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationwdi.dllMD5=E7A7E8803E66B7CCED95D327A4DBC135,SHA256=401ECD953D4014A95C9022822D9ACEC1A68C917281DBA2365503A473FC6D9507trueMicrosoft WindowsValid 10341000x80000000000000001548514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.160{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.160{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.160{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-83AD-607D-0A00-00000000BB01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001548511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.060{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.060{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0775927E17D361FA7359ECCEB985063,SHA256=5C475D25FF495CF466826AC13F0DC0C5783F9B8067E122AFAB701193980EF3F3falsefalse - insufficient disk space 23542300x80000000000000001067476Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:37.081{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DD3E45E3DA74C8269FDE3C1E3936D4C,SHA256=59E9A8460364B17D3ECA0F517BAFF924DDD6B26FCC5F74175073404244112CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067475Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:37.080{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4CCDD241922368766248C7268444BA2,SHA256=A89FE48D4EB5F811BC533053A51492C0B7466FCA18AD3AC197BD0B6B3CC4B2BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067483Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:38.982{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067482Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:38.982{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067481Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:38.260{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F184DFE99A8C4735FF67D56B6B30D2,SHA256=CF15BC6D5A248303F0882BA2FC23C15F879F54ADDEB125610C4B8C56E927489D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:38.886{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:38.886{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFDDBC6C3A6AC88D291947B7744044D7,SHA256=EB0F53B3CAAD95F6935A815C2E59B4921E83D016390317DBDE549E6FE1C29DBDfalsefalse - insufficient disk space 11241100x80000000000000001548576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:38.167{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227 23542300x80000000000000001548575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:38.167{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B4A17FCE3209D14A13760B7DE351319C,SHA256=40C3654F64FF51A99BA34DE9DF81C66514A9E255444C299650DC4835A87D02A1falsefalse - insufficient disk space 11241100x80000000000000001548574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:38.163{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:38.163{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3C00049BF1DDDA8D287F709C30BFB4,SHA256=98222CF94402802664479CC035F66F71A0179A1D8D1C76F21C1B182B4BA7D6D4falsefalse - insufficient disk space 354300x80000000000000001548572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.382{21761711-65AF-6080-4F5E-00000000BB01}3452<unknown process>WIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local64999-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001067486Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:39.982{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067485Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:39.982{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067484Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:39.272{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C319E4016331D551F583FE33ECC9EE7,SHA256=48E507D14AB1351B1001DF08D6B1253152DFF1D571A611F1F17DB8FEE5DF316B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:39.169{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:39.169{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD0EAEC2AC20E45A63E8E24C6E985E1,SHA256=7B331FC969FAB3D9A80B0922CC07343AA85C7C66415ACC0CFBD4AA3BA7AFBB3Bfalsefalse - insufficient disk space 10341000x80000000000000001067489Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:40.983{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067488Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:40.983{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067487Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:40.274{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA17BF144B9F0D04F7E5A3290000C05D,SHA256=6758A68808351D4E6C57B78F950E5ECE918E7FD898E14E5E6285C8671AA132F8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001548586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:40.890{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:40.890{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 11241100x80000000000000001548584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:40.189{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:40.189{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B82F3767DE109F5E5592E119341548,SHA256=29A6145F34340AB91CAF73185506A503540E6A0310E7FE4C0C07CF0C1A3E3227falsefalse - insufficient disk space 11241100x80000000000000001548582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:40.069{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:40.068{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=402FADEB178219B9703357C2E006B637,SHA256=F6C6D5775A8434092FCC2BB51078CFC379B48A039B986D2E1C9EC17AB3DF1688falsefalse - insufficient disk space 11241100x80000000000000001548589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:41.254{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:41.254{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F1B9D9DAD84C359E118A311978CB75,SHA256=E3CB6B34286C240F3C777047A1369758D85A29F677B2836644DFA67E787AB2E3falsefalse - insufficient disk space 10341000x80000000000000001067492Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:41.983{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067491Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:41.983{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067490Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:41.283{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE9DD070687B7C2963EAD63B8959037,SHA256=CBF6F4953CAE407A713B6983BF7205F838D6F86A35C743E12F848C87D99BAC3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001548587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:38.618{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65000-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001548591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:42.294{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:42.294{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4273D5B7B55BD786535B685A4925D912,SHA256=3EBE733276948426DB0C50E07CC745D0D88F026599FFBFF4716EB101EB4A3759falsefalse - insufficient disk space 10341000x80000000000000001067509Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.983{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067508Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.983{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067507Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:37.872{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32513-false10.0.1.12-8000- 17141700x80000000000000001067506Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-CreatePipe2021-04-21 17:49:42.881{761B69BB-65B6-6080-265D-00000000BA01}2304\MSSE-6836-serverC:\Users\Administrator\Desktop\64_dllhost.exe 10341000x80000000000000001067505Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.878{761B69BB-818C-607D-1200-00000000BA01}6125508C:\Windows\System32\svchost.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067504Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.877{761B69BB-818C-607D-1200-00000000BA01}6126156C:\Windows\System32\svchost.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067503Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.877{761B69BB-818C-607D-1200-00000000BA01}6126156C:\Windows\System32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067502Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.877{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067501Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.876{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067500Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.876{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067499Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.876{761B69BB-84CF-607D-F002-00000000BA01}43804688C:\Windows\system32\csrss.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067498Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.876{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067497Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.876{761B69BB-84D3-607D-0403-00000000BA01}3727156C:\Windows\Explorer.EXE{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+18d18c|C:\Windows\System32\SHELL32.dll+18cee3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067496Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.875{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe-----"C:\Users\Administrator\Desktop\64_dllhost.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{761B69BB-84D1-607D-2C9F-1B0000000000}0x1b9f2c2HighMD5=F833C142FBA7CE8E89C5510363A43052,SHA256=051764E0F16B8BC8ADF41F59B2A4214EA482E5AEC023B44FF91784670524CE5C,IMPHASH=17B461A082950FC6332228572138B80C{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001067495Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.300{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7995D3DA2E4D62B7B933570BEADA34B3,SHA256=90809716FD1E315490382BCBF14CD98BDAF94DE40A4B8791E57BE8A11BE5F3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067494Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.209{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AB50D3C4B5B3809CE672A4EEE1B00D6,SHA256=9434590EEDC9203958677CE2F587310F9DFC8B7034A5AAF1ECFBBD1CA61695BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067493Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.208{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DD3E45E3DA74C8269FDE3C1E3936D4C,SHA256=59E9A8460364B17D3ECA0F517BAFF924DDD6B26FCC5F74175073404244112CD2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:43.343{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:43.343{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9F4FFD7987197852E9A58DA53AAF42,SHA256=D9821DEE9864C43419421DD9C847D00604437545599D8ED545D9DC3841A83E33falsefalse - insufficient disk space 10341000x80000000000000001067517Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.984{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067516Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.984{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067515Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.928{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067514Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.912{761B69BB-818A-607D-0B00-00000000BA01}6324224C:\Windows\system32\lsass.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067513Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.912{761B69BB-818A-607D-0B00-00000000BA01}6324224C:\Windows\system32\lsass.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001067512Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-ConnectPipe2021-04-21 17:49:43.905{761B69BB-65B6-6080-265D-00000000BA01}2304\MSSE-6836-serverC:\Users\Administrator\Desktop\64_dllhost.exe 23542300x80000000000000001067511Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.892{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AB50D3C4B5B3809CE672A4EEE1B00D6,SHA256=9434590EEDC9203958677CE2F587310F9DFC8B7034A5AAF1ECFBBD1CA61695BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067510Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.312{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6238D72BF03DD1074FFAF582963785,SHA256=EF262ED90D95E1681C39D55B0AF15E7030367C05FE82FA34F3EBCAF99BDF3B1E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:44.345{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:44.345{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4AC1CFCAB68BF136AD2D49F433C6727,SHA256=3CC17A00CA3E3C92E844EB52DC53B3E8212D4F0C45D91B933F40E73A2C49E28Cfalsefalse - insufficient disk space 10341000x80000000000000001067521Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:44.984{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067520Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:44.984{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067519Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:44.950{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A0699525D5C7E3D87F62E5EE28F24FD,SHA256=0B26C8A2DB8A28C7CAF5789BBEF30E81B2B4D79C7053C4CCA1977BC254D98A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067518Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:44.317{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0924A72ABF9909E2D97304B3A4FC278,SHA256=1632E50C0626664D44A617FB1E24B069EA7DA866D5E8887EF9FC98CC5470AF25,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:45.363{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:45.363{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8C467B30E5E296F54DD5229956B4D4,SHA256=8939AA88DA9B9F1F7B2B983F83033877888456599D79889FC8A7A6118E1363D8falsefalse - insufficient disk space 10341000x80000000000000001067529Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:45.985{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067528Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:45.985{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067527Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:40.604{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32514-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001067526Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:45.959{761B69BB-819C-607D-2700-00000000BA01}28162336C:\Windows\sysmon64.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067525Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:45.959{761B69BB-819C-607D-2700-00000000BA01}28162336C:\Windows\sysmon64.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000001067524Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:40.590{761B69BB-65B6-6080-265D-00000000BA01}2304win-dc-9820169.254.79.158;10.0.1.14;C:\Users\Administrator\Desktop\64_dllhost.exe 10341000x80000000000000001067523Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:45.930{761B69BB-819C-607D-2700-00000000BA01}28162468C:\Windows\sysmon64.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067522Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:45.331{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A29B1CEAA3C700228A3F0E9DC8DD87,SHA256=534F68BB4A4FC1E3BE48C153A6E43CECF9ECCD78F3965F8F426BC001CAC7A21B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:45.132{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:45.132{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FA638764D36F291A94B0CAC55112654,SHA256=0A6E75A562BE8F06EAC1C2DCF1B93B8DD3FA76B8A28BC05AAAB0675B301DB52Afalsefalse - insufficient disk space 11241100x80000000000000001548597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:45.132{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:45.132{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=726931221DFC7F4F3E3BD102BEC03DE6,SHA256=D35B88C0D920C496154854860CB817979E2B5BF474A3267626B288474BFF454Cfalsefalse - insufficient disk space 11241100x80000000000000001548604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:46.535{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:46.535{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC2D66E920CCC4FE9F2B72EE5269C48,SHA256=C7E4DF45918448F7B3FCE184532CEDF99813468882A77388883B810EAF90F619falsefalse - insufficient disk space 10341000x80000000000000001067532Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:46.985{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067531Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:46.985{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067530Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:46.336{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9BEABBAD35239BC2A90FF7E24B2F14,SHA256=8B6D4AE8528D1377A2F59D5808E9C1704F145AA1F17118C89EA75328D2211019,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001548602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:43.667{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65001-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x80000000000000001548618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:47.807{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000027047C\VirtualDesktopBinary Data 12241200x80000000000000001548617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:47.807{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000027047C 13241300x80000000000000001548616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:47.807{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A0502\VirtualDesktopBinary Data 12241200x80000000000000001548615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:47.807{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A0502 13241300x80000000000000001548614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:47.769{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:47.769{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001548612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:47.769{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:47.769{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:47.769{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001548609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:47.753{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:47.753{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001548607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:47.753{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001548606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:47.553{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:47.553{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3787FF7438AE4515B8A9342B4B83C76,SHA256=DB56EDD4C1E02A18C5B7C46AB5FADCD1750AB099B03BE0432AD783191D75695Bfalsefalse - insufficient disk space 10341000x80000000000000001067535Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:47.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067534Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:47.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067533Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:47.339{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288C9A997B45C6176ACADFD14C43BB88,SHA256=364865006C62E67030A846D7D8A4FFB82D8FD9132A21B9668D0A8C838FDC895D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:48.571{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:48.571{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D712A55F3FF7D6BCECA4FDC4FA6AAC49,SHA256=21A874626F0ADD4E3AA378A8A20B9E5C8505603DA4259F1D92D3600C1FC3C422falsefalse - insufficient disk space 10341000x80000000000000001067541Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:48.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067540Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:48.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067539Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.764{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32515-false10.0.1.12-8000- 23542300x80000000000000001067538Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:48.958{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=46D4C91E088863B290350596C68C4651,SHA256=3573BE83318CF6BDB44B9A622FE15435066EC8D761D1615B1DF1C32654EA3FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067537Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:48.342{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62722B5DC4AD7A6293B028967E919000,SHA256=AD78AB7DBB97C88E0B96B0B980BABFEE615E3A24E0DCA39328D2AA2BC27CB65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067536Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:48.110{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97B2706C756FF44FC87C68BA2910C878,SHA256=C0F507E8CDE883870F449D4A84AA48E4ED336994297E45B359A436571E076103,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:49.573{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:49.573{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9A33969617C85C2C86F29E1EE0252A,SHA256=63CF444B0D3B1ED51F7726A95C49A3A6D5E1A28183330B50E1482CAE82A72704falsefalse - insufficient disk space 10341000x80000000000000001067544Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:49.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067543Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:49.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067542Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:49.346{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD0DB138ED98CFEEBECF3E1AD92B358,SHA256=01D99BE5C8B5D00E33D75619852B82415F3BA8592C3C18F93D97733DA594D161,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:50.613{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:50.613{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7306999BDB4893DE3CC30C9B08B3BF68,SHA256=1D6B85EB49995D008A8DC64FD2E38CC3DD32CF887B8E597BF3CEFA9F1ACCFB05falsefalse - insufficient disk space 10341000x80000000000000001067547Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:50.987{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067546Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:50.987{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067545Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:50.351{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EB124605DA214FAD9D8E0EF2976FE2,SHA256=38DAB379FE52970F0FAAF434205BA0DAB75A9A53A371DFB9D9E583A181809793,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:50.143{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:50.143{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC857BE6D9474FFFB3BB824A3763F155,SHA256=37678E78803005D8C0664EF5D45C0CBCD364891F417DC60E69E46BFDA0A2238Cfalsefalse - insufficient disk space 11241100x80000000000000001548624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:50.143{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:50.143{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FA638764D36F291A94B0CAC55112654,SHA256=0A6E75A562BE8F06EAC1C2DCF1B93B8DD3FA76B8A28BC05AAAB0675B301DB52Afalsefalse - insufficient disk space 11241100x80000000000000001548639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:51.716{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:51.716{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFA96A7B9EEA2E501CCAC23739B20DD,SHA256=0A00F0E53FC7938BD4FF77FAB8BA462E2A300044C23A9F604BF9FE72CE3DA0EDfalsefalse - insufficient disk space 10341000x80000000000000001067551Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:51.987{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067550Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:51.987{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067549Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:51.705{761B69BB-818C-607D-0D00-00000000BA01}9046912C:\Windows\system32\svchost.exe{761B69BB-63E3-6080-E95C-00000000BA01}6292C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067548Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:51.361{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6049C105AD6D1A93FD039B1E2358718,SHA256=E9A8B9DD40E9305B15985DCA88AB5E5042B3D263AB5928F982E4DAB7448ED50F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001548637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:51.362{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000027047C\VirtualDesktopBinary Data 12241200x80000000000000001548636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:51.362{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000027047C 13241300x80000000000000001548635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:51.315{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:51.315{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001548633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:51.315{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001548632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:51.299{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:51.299{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001548630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:51.299{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001548629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:48.695{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65002-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001548644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:52.734{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:52.734{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA16AD48089C1410007DB6DCAC218F27,SHA256=42D942BB2930477F6F2CFBD65AB4A59636214664CA04CADC08BD411811C966AEfalsefalse - insufficient disk space 10341000x80000000000000001067554Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:52.988{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067553Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:52.988{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067552Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:52.369{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F730592E5792468363E28546ECDE6EAF,SHA256=BC193FE90579830C66A581E9B1233327FA5738CEEA384CB788A6D054FC270981,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001548642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:52.681{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:52.681{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001548640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:52.681{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001548651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:53.922{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:53.922{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE287760F2E56525770F82D0542C0DC,SHA256=4B17BA62D9CF43DC8AD12E761469E4EA0653A33877407F2A04F59B14BAC5C1CEfalsefalse - insufficient disk space 10341000x80000000000000001067560Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:53.988{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067559Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:53.988{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067558Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:48.898{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32516-false10.0.1.12-8000- 23542300x80000000000000001067557Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:53.376{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4EDEE60B18D7A316123A4A9B16525A,SHA256=B3794BAB7EEC31A77CE1443B518A91199E2E97901E40D04AF49D7DA822DFC5FF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001548649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:53.668{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D051E\VirtualDesktopBinary Data 12241200x80000000000000001548648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:53.668{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D051E 13241300x80000000000000001548647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:53.601{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:53.601{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001548645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:53.601{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067556Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:53.234{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB892FB34E6FF1C1FCA6A7312B70F196,SHA256=6517E9F46C2034721812D4C2CDD5DFFE97D692C2D7985D63CF9C55D42FFC8BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067555Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:53.233{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C5DBC9DB85B52A44DE8AD1B4F531372,SHA256=3C9C686BC043B7E38C0251B18B84009ABB8B2DA3E7F43C46CF9B954AB634F2B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:54.924{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:54.924{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446A6416D0B4F0B9F9F67BD3A4AF5A6E,SHA256=0632B2C4B39563D57DFC29FFD83EB6CD107E1527227EF0152E078D20AED7E52Bfalsefalse - insufficient disk space 10341000x80000000000000001067563Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:54.988{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067562Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:54.988{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067561Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:54.382{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF6DBC23C54FDB46E20FF5A5B291F24,SHA256=EB4F65E0D62421ACAEE97D4D3749304061B85151E7EA9E4B78E0D7D6F629CCC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067567Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:55.989{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067566Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:55.989{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067565Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:55.873{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB892FB34E6FF1C1FCA6A7312B70F196,SHA256=6517E9F46C2034721812D4C2CDD5DFFE97D692C2D7985D63CF9C55D42FFC8BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067564Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:55.386{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89499CDB9ECD18CCDA4DAB02A6907DCC,SHA256=3772F0B2673FA3153F380D3036CF2F0E0AAF3123DD57EBD73F393F9B3C78299D,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001549575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x80000000000000001549574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x80000000000000001549573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x80000000000000001549572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 13241300x80000000000000001549571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x80000000000000001549570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x80000000000000001549569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x80000000000000001549568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000001549567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x80000000000000001549566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000001549565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x80000000000000001549564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x80000000000000001549563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4225 (rs1_release.210127-1811)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=6A4EC7FCDF21570DCB1AAEA8BCE6C68B,SHA256=11DF4EEFA9F2EAB3440D073442C14884AA4145360F1ADB63B220431E5D01BB2CtrueMicrosoft WindowsValid 12241200x80000000000000001549562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x80000000000000001549561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 10341000x80000000000000001549560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001549559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x80000000000000001549558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000001549557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x80000000000000001549556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x80000000000000001549555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x80000000000000001549554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000001549553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x80000000000000001549552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x80000000000000001549551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x80000000000000001549550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x80000000000000001549549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x80000000000000001549548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=5956013FD503AA525624271D79C23A41,SHA256=F678669E7BDEAA35648FD330F23627EA15B2D79D263610F46FB1B3881AEDBF74trueMicrosoft WindowsValid 734700x80000000000000001549547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x80000000000000001549546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x80000000000000001549545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x80000000000000001549544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000001549543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=4803B5E62FA1809BBED6F7E987942ACB,SHA256=D7D53A4FEB2016307A812A04964CEEC5E211A676A303B41EA16EAFD3AA7C3B72trueMicrosoft WindowsValid 734700x80000000000000001549542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000001549541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x80000000000000001549540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x80000000000000001549539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x80000000000000001549538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1112AB17E3ABDFF5F20CB2F465A2E117,SHA256=C47039A4DF6C685317C6539F205A46350DB055342704F1957D1FB0A1278AC076trueMicrosoft WindowsValid 734700x80000000000000001549537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000001549536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=CDD32AC585A458B6B2BC777FACF83BA4,SHA256=6A6D1362633319BA3E2D389A70827D0B5802C5EA9DD5CA723AEA6DBF65713426trueMicrosoft WindowsValid 734700x80000000000000001549535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000001549534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000001549533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 10341000x80000000000000001549532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001549531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001549530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000001549529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.2515 (rs1_release_1.180830-1044)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0A509BFB5A32121F89325D493794CA83,SHA256=CB89991C328399A0AD5A18C38DD69FA77922A7977D9F4E7193C59AC03AF614B2trueMicrosoft WindowsValid 734700x80000000000000001549528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=D72267FB5D321279DE909DB118CDEEFE,SHA256=D8386DCF2ACF3D48A2C95CCF6C3A9505E1CA99FF803027D76068596A34210FAEtrueMicrosoft WindowsValid 734700x80000000000000001549527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000001549526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4283 (rs1_release.210303-1802)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=253114E61AAAE4A12B73BAA54FBAAA62,SHA256=738E566E19705CA3190F448EDA108FAB2324C6A6E9DAAA12024777C9C5E6BF0EtrueMicrosoft WindowsValid 734700x80000000000000001549525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000001549524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=7B019DFD62509B244C4A11809F595C07,SHA256=2E879BBDC7C215041617FC599FCBA8C474F99E27B8333EA4DCA4854FE738F22DtrueMicrosoft WindowsValid 734700x80000000000000001549523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000001549522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000001549521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BE003247800053860D5C85D2BCEB0744,SHA256=D687D105741BDEB1BCEE18F3692AE688C52E85F1BBA745315FA2FB7F953DCE55trueMicrosoft WindowsValid 734700x80000000000000001549520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=46729D62C2C59533BF7F18EC62EA1066,SHA256=F890DA6B91DCCEF82188724339EB4469B27AA19183938F4269C8DE3FEA6C12F0trueMicrosoft WindowsValid 734700x80000000000000001549519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000001549518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000001549517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000001549516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000001549515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001549514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001549513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000001549512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001549511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000001549510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000001549509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=57015A39A73789DC7171F4F6B211AC32,SHA256=3ED6D5A7095A141DCF234926EE0274FDA627C2829607DCE0F7604B7C683067E9trueMicrosoft WindowsValid 734700x80000000000000001549508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001549507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8trueMicrosoft WindowsValid 824800x80000000000000001549506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe41880x00000000005C0000-- 11241100x80000000000000001549505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274634_WINWORD.EXE_3548_4412_2514.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274635_WINWORD.EXE_3548_4412_2513.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274635_WINWORD.EXE_3548_4412_2512.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274636_WINWORD.EXE_3548_4412_2511.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274636_WINWORD.EXE_3548_4412_2510.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274637_WINWORD.EXE_3548_4412_2509.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274637_WINWORD.EXE_3548_4412_2508.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274638_WINWORD.EXE_3548_4412_2507.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274638_WINWORD.EXE_3548_4412_2506.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274641_WINWORD.EXE_3548_4412_2505.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274641_WINWORD.EXE_3548_4412_2504.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274642_WINWORD.EXE_3548_4412_2503.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274642_WINWORD.EXE_3548_4412_2502.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274643_WINWORD.EXE_3548_4412_2501.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274643_WINWORD.EXE_3548_4412_2500.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274644_WINWORD.EXE_3548_4412_2499.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274644_WINWORD.EXE_3548_4412_2498.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274645_WINWORD.EXE_3548_4412_2497.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274645_WINWORD.EXE_3548_4412_2496.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274646_WINWORD.EXE_3548_4412_2495.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274646_WINWORD.EXE_3548_4412_2494.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274646_WINWORD.EXE_3548_4412_2493.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274647_WINWORD.EXE_3548_4412_2492.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274647_WINWORD.EXE_3548_4412_2491.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274648_WINWORD.EXE_3548_4412_2490.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274648_WINWORD.EXE_3548_4412_2489.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274649_WINWORD.EXE_3548_4412_2488.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274649_WINWORD.EXE_3548_4412_2487.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274650_WINWORD.EXE_3548_4412_2486.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274650_WINWORD.EXE_3548_4412_2485.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274650_WINWORD.EXE_3548_4412_2484.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274651_WINWORD.EXE_3548_4412_2483.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274651_WINWORD.EXE_3548_4412_2482.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274652_WINWORD.EXE_3548_4412_2481.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274652_WINWORD.EXE_3548_4412_2480.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274653_WINWORD.EXE_3548_4412_2479.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274653_WINWORD.EXE_3548_4412_2478.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274654_WINWORD.EXE_3548_4412_2477.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274654_WINWORD.EXE_3548_4412_2476.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274655_WINWORD.EXE_3548_4412_2475.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274655_WINWORD.EXE_3548_4412_2474.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274656_WINWORD.EXE_3548_4412_2473.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274656_WINWORD.EXE_3548_4412_2472.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274656_WINWORD.EXE_3548_4412_2471.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274657_WINWORD.EXE_3548_4412_2470.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274657_WINWORD.EXE_3548_4412_2469.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274658_WINWORD.EXE_3548_4412_2468.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274658_WINWORD.EXE_3548_4412_2467.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274659_WINWORD.EXE_3548_4412_2466.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274659_WINWORD.EXE_3548_4412_2465.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274660_WINWORD.EXE_3548_4412_2464.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274660_WINWORD.EXE_3548_4412_2463.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274661_WINWORD.EXE_3548_4412_2462.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274661_WINWORD.EXE_3548_4412_2461.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274661_WINWORD.EXE_3548_4412_2460.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274662_WINWORD.EXE_3548_4412_2459.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274662_WINWORD.EXE_3548_4412_2458.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274663_WINWORD.EXE_3548_4412_2457.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274663_WINWORD.EXE_3548_4412_2456.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274664_WINWORD.EXE_3548_4412_2455.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274664_WINWORD.EXE_3548_4412_2454.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274665_WINWORD.EXE_3548_4412_2453.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274665_WINWORD.EXE_3548_4412_2452.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274665_WINWORD.EXE_3548_4412_2451.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274666_WINWORD.EXE_3548_4412_2450.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274666_WINWORD.EXE_3548_4412_2449.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274667_WINWORD.EXE_3548_4412_2448.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274667_WINWORD.EXE_3548_4412_2447.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274668_WINWORD.EXE_3548_4412_2446.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274668_WINWORD.EXE_3548_4412_2445.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274669_WINWORD.EXE_3548_4412_2444.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274669_WINWORD.EXE_3548_4412_2443.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274670_WINWORD.EXE_3548_4412_2442.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274670_WINWORD.EXE_3548_4412_2441.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274670_WINWORD.EXE_3548_4412_2440.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274671_WINWORD.EXE_3548_4412_2439.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274671_WINWORD.EXE_3548_4412_2438.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274672_WINWORD.EXE_3548_4412_2437.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274672_WINWORD.EXE_3548_4412_2436.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274673_WINWORD.EXE_3548_4412_2435.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274673_WINWORD.EXE_3548_4412_2434.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274674_WINWORD.EXE_3548_4412_2433.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274674_WINWORD.EXE_3548_4412_2432.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274674_WINWORD.EXE_3548_4412_2431.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274675_WINWORD.EXE_3548_4412_2430.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274675_WINWORD.EXE_3548_4412_2429.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274676_WINWORD.EXE_3548_4412_2428.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274676_WINWORD.EXE_3548_4412_2427.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274677_WINWORD.EXE_3548_4412_2426.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274677_WINWORD.EXE_3548_4412_2425.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274678_WINWORD.EXE_3548_4412_2424.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274678_WINWORD.EXE_3548_4412_2423.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274679_WINWORD.EXE_3548_4412_2422.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274679_WINWORD.EXE_3548_4412_2421.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274679_WINWORD.EXE_3548_4412_2420.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274680_WINWORD.EXE_3548_4412_2419.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274680_WINWORD.EXE_3548_4412_2418.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274681_WINWORD.EXE_3548_4412_2417.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274681_WINWORD.EXE_3548_4412_2416.dmp2021-04-21 17:49:55.910 11241100x80000000000000001549406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.910{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274682_WINWORD.EXE_3548_4412_2415.dmp2021-04-21 17:49:55.910 11241100x80000000000000001549405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.910{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274682_WINWORD.EXE_3548_4412_2414.dmp2021-04-21 17:49:55.909 11241100x80000000000000001549404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.909{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274683_WINWORD.EXE_3548_4412_2413.dmp2021-04-21 17:49:55.909 11241100x80000000000000001549403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.909{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274683_WINWORD.EXE_3548_4412_2412.dmp2021-04-21 17:49:55.908 11241100x80000000000000001549402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.908{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274684_WINWORD.EXE_3548_4412_2411.dmp2021-04-21 17:49:55.908 11241100x80000000000000001549401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.908{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274684_WINWORD.EXE_3548_4412_2410.dmp2021-04-21 17:49:55.908 11241100x80000000000000001549400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.907{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274685_WINWORD.EXE_3548_4412_2409.dmp2021-04-21 17:49:55.907 11241100x80000000000000001549399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.907{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274685_WINWORD.EXE_3548_4412_2408.dmp2021-04-21 17:49:55.907 11241100x80000000000000001549398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.906{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274686_WINWORD.EXE_3548_4412_2407.dmp2021-04-21 17:49:55.906 11241100x80000000000000001549397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.906{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274686_WINWORD.EXE_3548_4412_2406.dmp2021-04-21 17:49:55.906 11241100x80000000000000001549396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.905{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274687_WINWORD.EXE_3548_4412_2405.dmp2021-04-21 17:49:55.905 11241100x80000000000000001549395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.905{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274687_WINWORD.EXE_3548_4412_2404.dmp2021-04-21 17:49:55.905 11241100x80000000000000001549394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.904{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274687_WINWORD.EXE_3548_4412_2403.dmp2021-04-21 17:49:55.904 11241100x80000000000000001549393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274688_WINWORD.EXE_3548_4412_2402.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274689_WINWORD.EXE_3548_4412_2401.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274689_WINWORD.EXE_3548_4412_2400.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274689_WINWORD.EXE_3548_4412_2399.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274690_WINWORD.EXE_3548_4412_2398.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274690_WINWORD.EXE_3548_4412_2397.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274691_WINWORD.EXE_3548_4412_2396.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274691_WINWORD.EXE_3548_4412_2395.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274692_WINWORD.EXE_3548_4412_2394.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274692_WINWORD.EXE_3548_4412_2393.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274693_WINWORD.EXE_3548_4412_2392.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274693_WINWORD.EXE_3548_4412_2391.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274693_WINWORD.EXE_3548_4412_2390.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274694_WINWORD.EXE_3548_4412_2389.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274694_WINWORD.EXE_3548_4412_2388.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274695_WINWORD.EXE_3548_4412_2387.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274695_WINWORD.EXE_3548_4412_2386.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274696_WINWORD.EXE_3548_4412_2385.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274696_WINWORD.EXE_3548_4412_2384.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274697_WINWORD.EXE_3548_4412_2383.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274697_WINWORD.EXE_3548_4412_2382.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274697_WINWORD.EXE_3548_4412_2381.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274698_WINWORD.EXE_3548_4412_2380.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274698_WINWORD.EXE_3548_4412_2379.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274699_WINWORD.EXE_3548_4412_2378.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274699_WINWORD.EXE_3548_4412_2377.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274700_WINWORD.EXE_3548_4412_2376.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274700_WINWORD.EXE_3548_4412_2375.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274701_WINWORD.EXE_3548_4412_2374.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274701_WINWORD.EXE_3548_4412_2373.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274701_WINWORD.EXE_3548_4412_2372.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274702_WINWORD.EXE_3548_4412_2371.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274702_WINWORD.EXE_3548_4412_2370.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274703_WINWORD.EXE_3548_4412_2369.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274703_WINWORD.EXE_3548_4412_2368.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274704_WINWORD.EXE_3548_4412_2367.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274704_WINWORD.EXE_3548_4412_2366.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274705_WINWORD.EXE_3548_4412_2365.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274705_WINWORD.EXE_3548_4412_2364.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274706_WINWORD.EXE_3548_4412_2363.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274706_WINWORD.EXE_3548_4412_2362.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274706_WINWORD.EXE_3548_4412_2361.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274707_WINWORD.EXE_3548_4412_2360.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274707_WINWORD.EXE_3548_4412_2359.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274708_WINWORD.EXE_3548_4412_2358.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274708_WINWORD.EXE_3548_4412_2357.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274709_WINWORD.EXE_3548_4412_2356.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274709_WINWORD.EXE_3548_4412_2355.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274710_WINWORD.EXE_3548_4412_2354.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274710_WINWORD.EXE_3548_4412_2353.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274710_WINWORD.EXE_3548_4412_2352.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274711_WINWORD.EXE_3548_4412_2351.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274711_WINWORD.EXE_3548_4412_2350.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274712_WINWORD.EXE_3548_4412_2349.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274712_WINWORD.EXE_3548_4412_2348.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274713_WINWORD.EXE_3548_4412_2347.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274713_WINWORD.EXE_3548_4412_2346.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274714_WINWORD.EXE_3548_4412_2345.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274714_WINWORD.EXE_3548_4412_2344.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274715_WINWORD.EXE_3548_4412_2343.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 11241100x80000000000000001549332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274715_WINWORD.EXE_3548_4412_2342.dmp2021-04-21 17:49:55.873 23542300x80000000000000001549331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C672582971EAA52AB73FA7FA6207C5,SHA256=17374D711F0EE4AED0E9362B123836634B9D2032D23C48E2B688C95B2F43B6E7falsefalse - insufficient disk space 11241100x80000000000000001549330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274716_WINWORD.EXE_3548_4412_2341.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274716_WINWORD.EXE_3548_4412_2340.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274717_WINWORD.EXE_3548_4412_2339.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274718_WINWORD.EXE_3548_4412_2338.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274718_WINWORD.EXE_3548_4412_2337.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274719_WINWORD.EXE_3548_4412_2336.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274719_WINWORD.EXE_3548_4412_2335.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274720_WINWORD.EXE_3548_4412_2334.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274720_WINWORD.EXE_3548_4412_2333.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274720_WINWORD.EXE_3548_4412_2332.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274721_WINWORD.EXE_3548_4412_2331.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274721_WINWORD.EXE_3548_4412_2330.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274722_WINWORD.EXE_3548_4412_2329.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274722_WINWORD.EXE_3548_4412_2328.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274723_WINWORD.EXE_3548_4412_2327.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274723_WINWORD.EXE_3548_4412_2326.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274724_WINWORD.EXE_3548_4412_2325.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274724_WINWORD.EXE_3548_4412_2324.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274724_WINWORD.EXE_3548_4412_2323.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274725_WINWORD.EXE_3548_4412_2322.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274725_WINWORD.EXE_3548_4412_2321.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274726_WINWORD.EXE_3548_4412_2320.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274726_WINWORD.EXE_3548_4412_2319.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274727_WINWORD.EXE_3548_4412_2318.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274727_WINWORD.EXE_3548_4412_2317.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274727_WINWORD.EXE_3548_4412_2316.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274728_WINWORD.EXE_3548_4412_2315.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274728_WINWORD.EXE_3548_4412_2314.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274729_WINWORD.EXE_3548_4412_2313.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274729_WINWORD.EXE_3548_4412_2312.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274730_WINWORD.EXE_3548_4412_2311.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274730_WINWORD.EXE_3548_4412_2310.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274731_WINWORD.EXE_3548_4412_2309.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274731_WINWORD.EXE_3548_4412_2308.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274732_WINWORD.EXE_3548_4412_2307.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274732_WINWORD.EXE_3548_4412_2306.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274732_WINWORD.EXE_3548_4412_2305.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274733_WINWORD.EXE_3548_4412_2304.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274733_WINWORD.EXE_3548_4412_2303.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274734_WINWORD.EXE_3548_4412_2302.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274734_WINWORD.EXE_3548_4412_2301.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274735_WINWORD.EXE_3548_4412_2300.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274735_WINWORD.EXE_3548_4412_2299.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274736_WINWORD.EXE_3548_4412_2298.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274736_WINWORD.EXE_3548_4412_2297.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274736_WINWORD.EXE_3548_4412_2296.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274737_WINWORD.EXE_3548_4412_2295.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274737_WINWORD.EXE_3548_4412_2294.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274738_WINWORD.EXE_3548_4412_2293.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274738_WINWORD.EXE_3548_4412_2292.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274739_WINWORD.EXE_3548_4412_2291.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274739_WINWORD.EXE_3548_4412_2290.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274739_WINWORD.EXE_3548_4412_2289.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274740_WINWORD.EXE_3548_4412_2288.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274740_WINWORD.EXE_3548_4412_2287.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274741_WINWORD.EXE_3548_4412_2286.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274741_WINWORD.EXE_3548_4412_2285.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274742_WINWORD.EXE_3548_4412_2284.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274742_WINWORD.EXE_3548_4412_2283.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274742_WINWORD.EXE_3548_4412_2282.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274743_WINWORD.EXE_3548_4412_2281.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274743_WINWORD.EXE_3548_4412_2280.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274744_WINWORD.EXE_3548_4412_2279.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274744_WINWORD.EXE_3548_4412_2278.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274745_WINWORD.EXE_3548_4412_2277.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274745_WINWORD.EXE_3548_4412_2276.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274746_WINWORD.EXE_3548_4412_2275.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274746_WINWORD.EXE_3548_4412_2274.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274746_WINWORD.EXE_3548_4412_2273.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274747_WINWORD.EXE_3548_4412_2272.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274747_WINWORD.EXE_3548_4412_2271.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274748_WINWORD.EXE_3548_4412_2270.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274748_WINWORD.EXE_3548_4412_2269.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274749_WINWORD.EXE_3548_4412_2268.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274749_WINWORD.EXE_3548_4412_2267.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274749_WINWORD.EXE_3548_4412_2266.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274750_WINWORD.EXE_3548_4412_2265.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274750_WINWORD.EXE_3548_4412_2264.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274751_WINWORD.EXE_3548_4412_2263.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274751_WINWORD.EXE_3548_4412_2262.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274752_WINWORD.EXE_3548_4412_2261.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274752_WINWORD.EXE_3548_4412_2260.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274753_WINWORD.EXE_3548_4412_2259.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274753_WINWORD.EXE_3548_4412_2258.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274753_WINWORD.EXE_3548_4412_2257.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274754_WINWORD.EXE_3548_4412_2256.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274754_WINWORD.EXE_3548_4412_2255.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274755_WINWORD.EXE_3548_4412_2254.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274755_WINWORD.EXE_3548_4412_2253.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274756_WINWORD.EXE_3548_4412_2252.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274756_WINWORD.EXE_3548_4412_2251.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274757_WINWORD.EXE_3548_4412_2250.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274761_WINWORD.EXE_3548_4412_2249.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274761_WINWORD.EXE_3548_4412_2248.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274762_WINWORD.EXE_3548_4412_2247.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274762_WINWORD.EXE_3548_4412_2246.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274762_WINWORD.EXE_3548_4412_2245.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274763_WINWORD.EXE_3548_4412_2244.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274763_WINWORD.EXE_3548_4412_2243.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274764_WINWORD.EXE_3548_4412_2242.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274764_WINWORD.EXE_3548_4412_2241.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274765_WINWORD.EXE_3548_4412_2240.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274765_WINWORD.EXE_3548_4412_2239.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274766_WINWORD.EXE_3548_4412_2238.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274766_WINWORD.EXE_3548_4412_2237.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274766_WINWORD.EXE_3548_4412_2236.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274767_WINWORD.EXE_3548_4412_2235.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274767_WINWORD.EXE_3548_4412_2234.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274768_WINWORD.EXE_3548_4412_2233.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274768_WINWORD.EXE_3548_4412_2232.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274771_WINWORD.EXE_3548_4412_2231.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274771_WINWORD.EXE_3548_4412_2230.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274772_WINWORD.EXE_3548_4412_2229.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274772_WINWORD.EXE_3548_4412_2228.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274773_WINWORD.EXE_3548_4412_2227.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274773_WINWORD.EXE_3548_4412_2226.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274773_WINWORD.EXE_3548_4412_2225.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274774_WINWORD.EXE_3548_4412_2224.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274774_WINWORD.EXE_3548_4412_2223.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274775_WINWORD.EXE_3548_4412_2222.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274775_WINWORD.EXE_3548_4412_2221.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274776_WINWORD.EXE_3548_4412_2220.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274776_WINWORD.EXE_3548_4412_2219.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274776_WINWORD.EXE_3548_4412_2218.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274777_WINWORD.EXE_3548_4412_2217.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274777_WINWORD.EXE_3548_4412_2216.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274778_WINWORD.EXE_3548_4412_2215.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274778_WINWORD.EXE_3548_4412_2214.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274779_WINWORD.EXE_3548_4412_2213.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274779_WINWORD.EXE_3548_4412_2212.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274780_WINWORD.EXE_3548_4412_2211.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274780_WINWORD.EXE_3548_4412_2210.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274780_WINWORD.EXE_3548_4412_2209.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274781_WINWORD.EXE_3548_4412_2208.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274781_WINWORD.EXE_3548_4412_2207.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.810{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274782_WINWORD.EXE_3548_4412_2206.dmp2021-04-21 17:49:55.810 11241100x80000000000000001549194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.810{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274782_WINWORD.EXE_3548_4412_2205.dmp2021-04-21 17:49:55.810 11241100x80000000000000001549193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.809{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274783_WINWORD.EXE_3548_4412_2204.dmp2021-04-21 17:49:55.809 11241100x80000000000000001549192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.809{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274783_WINWORD.EXE_3548_4412_2203.dmp2021-04-21 17:49:55.809 11241100x80000000000000001549191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.809{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274784_WINWORD.EXE_3548_4412_2202.dmp2021-04-21 17:49:55.808 11241100x80000000000000001549190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.808{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274784_WINWORD.EXE_3548_4412_2201.dmp2021-04-21 17:49:55.808 11241100x80000000000000001549189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.808{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274784_WINWORD.EXE_3548_4412_2200.dmp2021-04-21 17:49:55.807 11241100x80000000000000001549188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.807{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274785_WINWORD.EXE_3548_4412_2199.dmp2021-04-21 17:49:55.807 11241100x80000000000000001549187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.807{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274785_WINWORD.EXE_3548_4412_2198.dmp2021-04-21 17:49:55.807 11241100x80000000000000001549186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.806{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274786_WINWORD.EXE_3548_4412_2197.dmp2021-04-21 17:49:55.806 11241100x80000000000000001549185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.806{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274786_WINWORD.EXE_3548_4412_2196.dmp2021-04-21 17:49:55.806 11241100x80000000000000001549184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.805{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274787_WINWORD.EXE_3548_4412_2195.dmp2021-04-21 17:49:55.805 11241100x80000000000000001549183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.805{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274787_WINWORD.EXE_3548_4412_2194.dmp2021-04-21 17:49:55.805 11241100x80000000000000001549182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.804{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274788_WINWORD.EXE_3548_4412_2193.dmp2021-04-21 17:49:55.804 11241100x80000000000000001549181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274788_WINWORD.EXE_3548_4412_2192.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274788_WINWORD.EXE_3548_4412_2191.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274789_WINWORD.EXE_3548_4412_2190.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274789_WINWORD.EXE_3548_4412_2189.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274790_WINWORD.EXE_3548_4412_2188.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274790_WINWORD.EXE_3548_4412_2187.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274791_WINWORD.EXE_3548_4412_2186.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274791_WINWORD.EXE_3548_4412_2185.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274791_WINWORD.EXE_3548_4412_2184.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274792_WINWORD.EXE_3548_4412_2183.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274792_WINWORD.EXE_3548_4412_2182.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274793_WINWORD.EXE_3548_4412_2181.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274793_WINWORD.EXE_3548_4412_2180.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274794_WINWORD.EXE_3548_4412_2179.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274794_WINWORD.EXE_3548_4412_2178.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274794_WINWORD.EXE_3548_4412_2177.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274795_WINWORD.EXE_3548_4412_2176.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274795_WINWORD.EXE_3548_4412_2175.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274796_WINWORD.EXE_3548_4412_2174.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274796_WINWORD.EXE_3548_4412_2173.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274797_WINWORD.EXE_3548_4412_2172.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274797_WINWORD.EXE_3548_4412_2171.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274798_WINWORD.EXE_3548_4412_2170.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274798_WINWORD.EXE_3548_4412_2169.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274798_WINWORD.EXE_3548_4412_2168.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274799_WINWORD.EXE_3548_4412_2167.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274799_WINWORD.EXE_3548_4412_2166.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274800_WINWORD.EXE_3548_4412_2165.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274800_WINWORD.EXE_3548_4412_2164.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274801_WINWORD.EXE_3548_4412_2163.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274801_WINWORD.EXE_3548_4412_2162.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274801_WINWORD.EXE_3548_4412_2161.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274802_WINWORD.EXE_3548_4412_2160.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274802_WINWORD.EXE_3548_4412_2159.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274803_WINWORD.EXE_3548_4412_2158.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274803_WINWORD.EXE_3548_4412_2157.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274804_WINWORD.EXE_3548_4412_2156.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274804_WINWORD.EXE_3548_4412_2155.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274805_WINWORD.EXE_3548_4412_2154.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274805_WINWORD.EXE_3548_4412_2153.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274805_WINWORD.EXE_3548_4412_2152.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274806_WINWORD.EXE_3548_4412_2151.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274806_WINWORD.EXE_3548_4412_2150.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274807_WINWORD.EXE_3548_4412_2149.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274807_WINWORD.EXE_3548_4412_2148.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274808_WINWORD.EXE_3548_4412_2147.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274808_WINWORD.EXE_3548_4412_2146.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274809_WINWORD.EXE_3548_4412_2145.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274809_WINWORD.EXE_3548_4412_2144.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274810_WINWORD.EXE_3548_4412_2143.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274810_WINWORD.EXE_3548_4412_2142.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274810_WINWORD.EXE_3548_4412_2141.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274811_WINWORD.EXE_3548_4412_2140.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274811_WINWORD.EXE_3548_4412_2139.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274812_WINWORD.EXE_3548_4412_2138.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274812_WINWORD.EXE_3548_4412_2137.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274813_WINWORD.EXE_3548_4412_2136.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274813_WINWORD.EXE_3548_4412_2135.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274813_WINWORD.EXE_3548_4412_2134.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274814_WINWORD.EXE_3548_4412_2133.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274814_WINWORD.EXE_3548_4412_2132.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274815_WINWORD.EXE_3548_4412_2131.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274815_WINWORD.EXE_3548_4412_2130.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274816_WINWORD.EXE_3548_4412_2129.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274816_WINWORD.EXE_3548_4412_2128.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274816_WINWORD.EXE_3548_4412_2127.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274817_WINWORD.EXE_3548_4412_2126.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274817_WINWORD.EXE_3548_4412_2125.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274818_WINWORD.EXE_3548_4412_2124.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274818_WINWORD.EXE_3548_4412_2123.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274819_WINWORD.EXE_3548_4412_2122.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274819_WINWORD.EXE_3548_4412_2121.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274820_WINWORD.EXE_3548_4412_2120.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274820_WINWORD.EXE_3548_4412_2119.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274820_WINWORD.EXE_3548_4412_2118.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274821_WINWORD.EXE_3548_4412_2117.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274821_WINWORD.EXE_3548_4412_2116.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274822_WINWORD.EXE_3548_4412_2115.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274822_WINWORD.EXE_3548_4412_2114.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274823_WINWORD.EXE_3548_4412_2113.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274823_WINWORD.EXE_3548_4412_2112.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274824_WINWORD.EXE_3548_4412_2111.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274824_WINWORD.EXE_3548_4412_2110.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274824_WINWORD.EXE_3548_4412_2109.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274825_WINWORD.EXE_3548_4412_2108.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274825_WINWORD.EXE_3548_4412_2107.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274826_WINWORD.EXE_3548_4412_2106.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274826_WINWORD.EXE_3548_4412_2105.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274826_WINWORD.EXE_3548_4412_2104.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274827_WINWORD.EXE_3548_4412_2103.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274827_WINWORD.EXE_3548_4412_2102.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274828_WINWORD.EXE_3548_4412_2101.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274828_WINWORD.EXE_3548_4412_2100.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274829_WINWORD.EXE_3548_4412_2099.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274829_WINWORD.EXE_3548_4412_2098.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274830_WINWORD.EXE_3548_4412_2097.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274830_WINWORD.EXE_3548_4412_2096.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274830_WINWORD.EXE_3548_4412_2095.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274831_WINWORD.EXE_3548_4412_2094.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274831_WINWORD.EXE_3548_4412_2093.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274832_WINWORD.EXE_3548_4412_2092.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274832_WINWORD.EXE_3548_4412_2091.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274833_WINWORD.EXE_3548_4412_2090.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274833_WINWORD.EXE_3548_4412_2089.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274834_WINWORD.EXE_3548_4412_2088.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274834_WINWORD.EXE_3548_4412_2087.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274834_WINWORD.EXE_3548_4412_2086.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274835_WINWORD.EXE_3548_4412_2085.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274835_WINWORD.EXE_3548_4412_2084.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274836_WINWORD.EXE_3548_4412_2083.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274836_WINWORD.EXE_3548_4412_2082.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274837_WINWORD.EXE_3548_4412_2081.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274837_WINWORD.EXE_3548_4412_2080.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274838_WINWORD.EXE_3548_4412_2079.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274838_WINWORD.EXE_3548_4412_2078.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274838_WINWORD.EXE_3548_4412_2077.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274839_WINWORD.EXE_3548_4412_2076.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274839_WINWORD.EXE_3548_4412_2075.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274840_WINWORD.EXE_3548_4412_2074.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274840_WINWORD.EXE_3548_4412_2073.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274841_WINWORD.EXE_3548_4412_2072.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274841_WINWORD.EXE_3548_4412_2071.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274841_WINWORD.EXE_3548_4412_2070.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274842_WINWORD.EXE_3548_4412_2069.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274842_WINWORD.EXE_3548_4412_2068.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274843_WINWORD.EXE_3548_4412_2067.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274843_WINWORD.EXE_3548_4412_2066.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274844_WINWORD.EXE_3548_4412_2065.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274844_WINWORD.EXE_3548_4412_2064.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274844_WINWORD.EXE_3548_4412_2063.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274845_WINWORD.EXE_3548_4412_2062.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274845_WINWORD.EXE_3548_4412_2061.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274846_WINWORD.EXE_3548_4412_2060.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274846_WINWORD.EXE_3548_4412_2059.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274847_WINWORD.EXE_3548_4412_2058.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274847_WINWORD.EXE_3548_4412_2057.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274847_WINWORD.EXE_3548_4412_2056.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274848_WINWORD.EXE_3548_4412_2055.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274848_WINWORD.EXE_3548_4412_2054.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274849_WINWORD.EXE_3548_4412_2053.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274849_WINWORD.EXE_3548_4412_2052.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274850_WINWORD.EXE_3548_4412_2051.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274850_WINWORD.EXE_3548_4412_2050.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274851_WINWORD.EXE_3548_4412_2049.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274851_WINWORD.EXE_3548_4412_2048.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274851_WINWORD.EXE_3548_4412_2047.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274852_WINWORD.EXE_3548_4412_2046.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274852_WINWORD.EXE_3548_4412_2045.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274853_WINWORD.EXE_3548_4412_2044.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274853_WINWORD.EXE_3548_4412_2043.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274854_WINWORD.EXE_3548_4412_2042.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274854_WINWORD.EXE_3548_4412_2041.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274854_WINWORD.EXE_3548_4412_2040.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274855_WINWORD.EXE_3548_4412_2039.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274855_WINWORD.EXE_3548_4412_2038.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274856_WINWORD.EXE_3548_4412_2037.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274856_WINWORD.EXE_3548_4412_2036.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274857_WINWORD.EXE_3548_4412_2035.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274857_WINWORD.EXE_3548_4412_2034.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274857_WINWORD.EXE_3548_4412_2033.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274858_WINWORD.EXE_3548_4412_2032.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274858_WINWORD.EXE_3548_4412_2031.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274859_WINWORD.EXE_3548_4412_2030.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274859_WINWORD.EXE_3548_4412_2029.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274860_WINWORD.EXE_3548_4412_2028.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274860_WINWORD.EXE_3548_4412_2027.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274860_WINWORD.EXE_3548_4412_2026.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274861_WINWORD.EXE_3548_4412_2025.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274861_WINWORD.EXE_3548_4412_2024.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274862_WINWORD.EXE_3548_4412_2023.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274862_WINWORD.EXE_3548_4412_2022.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274863_WINWORD.EXE_3548_4412_2021.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274863_WINWORD.EXE_3548_4412_2020.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274863_WINWORD.EXE_3548_4412_2019.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274864_WINWORD.EXE_3548_4412_2018.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274864_WINWORD.EXE_3548_4412_2017.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274865_WINWORD.EXE_3548_4412_2016.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274865_WINWORD.EXE_3548_4412_2015.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274866_WINWORD.EXE_3548_4412_2014.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274866_WINWORD.EXE_3548_4412_2013.dmp2021-04-21 17:49:55.710 11241100x80000000000000001549001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274867_WINWORD.EXE_3548_4412_2012.dmp2021-04-21 17:49:55.710 11241100x80000000000000001549000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274867_WINWORD.EXE_3548_4412_2011.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274868_WINWORD.EXE_3548_4412_2010.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274868_WINWORD.EXE_3548_4412_2009.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274869_WINWORD.EXE_3548_4412_2008.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274869_WINWORD.EXE_3548_4412_2007.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274869_WINWORD.EXE_3548_4412_2006.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274870_WINWORD.EXE_3548_4412_2005.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274870_WINWORD.EXE_3548_4412_2004.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274871_WINWORD.EXE_3548_4412_2003.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274871_WINWORD.EXE_3548_4412_2002.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274872_WINWORD.EXE_3548_4412_2001.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274872_WINWORD.EXE_3548_4412_2000.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274873_WINWORD.EXE_3548_4412_1999.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274873_WINWORD.EXE_3548_4412_1998.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274873_WINWORD.EXE_3548_4412_1997.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274874_WINWORD.EXE_3548_4412_1996.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274874_WINWORD.EXE_3548_4412_1995.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274877_WINWORD.EXE_3548_4412_1994.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274878_WINWORD.EXE_3548_4412_1993.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274878_WINWORD.EXE_3548_4412_1992.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274878_WINWORD.EXE_3548_4412_1991.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274879_WINWORD.EXE_3548_4412_1990.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274879_WINWORD.EXE_3548_4412_1989.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274880_WINWORD.EXE_3548_4412_1988.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274880_WINWORD.EXE_3548_4412_1987.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274881_WINWORD.EXE_3548_4412_1986.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274881_WINWORD.EXE_3548_4412_1985.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274882_WINWORD.EXE_3548_4412_1984.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274882_WINWORD.EXE_3548_4412_1983.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.709{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274882_WINWORD.EXE_3548_4412_1982.dmp2021-04-21 17:49:55.709 11241100x80000000000000001548970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.709{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274883_WINWORD.EXE_3548_4412_1981.dmp2021-04-21 17:49:55.709 11241100x80000000000000001548969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.708{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274883_WINWORD.EXE_3548_4412_1980.dmp2021-04-21 17:49:55.708 11241100x80000000000000001548968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.708{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274884_WINWORD.EXE_3548_4412_1979.dmp2021-04-21 17:49:55.708 11241100x80000000000000001548967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.708{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274884_WINWORD.EXE_3548_4412_1978.dmp2021-04-21 17:49:55.707 11241100x80000000000000001548966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.707{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274885_WINWORD.EXE_3548_4412_1977.dmp2021-04-21 17:49:55.707 11241100x80000000000000001548965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.707{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274885_WINWORD.EXE_3548_4412_1976.dmp2021-04-21 17:49:55.707 11241100x80000000000000001548964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.706{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274886_WINWORD.EXE_3548_4412_1975.dmp2021-04-21 17:49:55.706 11241100x80000000000000001548963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.706{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274886_WINWORD.EXE_3548_4412_1974.dmp2021-04-21 17:49:55.706 11241100x80000000000000001548962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.705{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274887_WINWORD.EXE_3548_4412_1973.dmp2021-04-21 17:49:55.705 11241100x80000000000000001548961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.705{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274887_WINWORD.EXE_3548_4412_1972.dmp2021-04-21 17:49:55.705 11241100x80000000000000001548960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.704{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274887_WINWORD.EXE_3548_4412_1971.dmp2021-04-21 17:49:55.704 11241100x80000000000000001548959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.704{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274888_WINWORD.EXE_3548_4412_1970.dmp2021-04-21 17:49:55.704 11241100x80000000000000001548958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274888_WINWORD.EXE_3548_4412_1969.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274889_WINWORD.EXE_3548_4412_1968.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274889_WINWORD.EXE_3548_4412_1967.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274890_WINWORD.EXE_3548_4412_1966.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274890_WINWORD.EXE_3548_4412_1965.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274891_WINWORD.EXE_3548_4412_1964.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274891_WINWORD.EXE_3548_4412_1963.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274891_WINWORD.EXE_3548_4412_1962.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274892_WINWORD.EXE_3548_4412_1961.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274892_WINWORD.EXE_3548_4412_1960.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274893_WINWORD.EXE_3548_4412_1959.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Mic