11241100x80000000000000001545806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:54.812{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:54.812{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68751DC9A0C06132ED1152C15BA877E4,SHA256=8502BE19546AD449F89531F7244664BD0686E0C58DE4C33CA1EE486A6B833814falsefalse - insufficient disk space 11241100x80000000000000001545815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.899{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.899{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1141887441C88083F3CF7E143BE6970,SHA256=64ABC7BCF794755AA35BC5FDF59A1F0921E5EF4B582BF05039099644A4C51CAFfalsefalse - insufficient disk space 10341000x80000000000000001066903Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:55.915{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066902Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:55.915{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066901Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:55.181{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2740488F9C1F401C282499530C7794B1,SHA256=6ACF9E79450D23DBA701244B227AAE46DFBC78950C057FB3C5F92A09580679A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001545813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.478{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001545812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.478{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001545811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.477{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001545810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.078{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.077{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADA30DD99C9DD4845E4150EE997221DD,SHA256=3F52B862F2D4F4AC7CEFB6D2DF4DBD8625301008EAD8BE90C7D1AED275CD74F7falsefalse - insufficient disk space 11241100x80000000000000001545808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.077{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:55.077{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AECB43A722322AB027502A43EAEEFE59,SHA256=F420F2E9E77376CA8D2218A789FAEF2FD8ABC2E26DFF16CA83BB432D461648E7falsefalse - insufficient disk space 11241100x80000000000000001545818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:56.902{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:56.902{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C13DCADF581637D764BF073162C1A59,SHA256=654492CEB5E8E56D0679E1A1F4F918DF21D5443EB7F24DFE9DAE0CD60C47E365falsefalse - insufficient disk space 354300x80000000000000001545816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:53.627{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64978-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001066908Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:56.916{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066907Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:56.916{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066906Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:56.890{761B69BB-818C-607D-0D00-00000000BA01}9046912C:\Windows\system32\svchost.exe{761B69BB-63E3-6080-E95C-00000000BA01}6292C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066905Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:56.890{761B69BB-818C-607D-0D00-00000000BA01}9046912C:\Windows\system32\svchost.exe{761B69BB-63E3-6080-E95C-00000000BA01}6292C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066904Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:56.194{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9245DCD791698286AC1850B389DA888C,SHA256=D72F378DBEE9B476F4DF3D51316B2E909FAAF3628A9CC8B4A6EADA7A634AFFD2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:57.904{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:57.904{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704EFC2F42A9F656E1CB902C04746DE8,SHA256=895487410D1576B438ED2CE08E5B2A644C1E4F459AE1716C2EC4AED70682531Afalsefalse - insufficient disk space 10341000x80000000000000001066913Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:57.917{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066912Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:57.917{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066911Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:57.203{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32599F835EE0EB4E7D50B39A90C98E90,SHA256=FB10977C9C74C03E8DF353F765FE52E4F1F1979EC2239331AC7C16882DA7071D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001066910Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:57.151{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72329CF878234A66A5A419DDB48C9707,SHA256=4762C30FE876F6F963A25D1F76E5123C3F5F8608AFF074AF8E6AFDBE51DD7868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001066909Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:57.150{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D92BBCB35BC61DA88AA138E49A25370,SHA256=D86104F7A4F16F61E160F58EDF8E9DBF6ED213F5957AACDF89E752BEABF6F98E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:58.953{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:58.953{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F7917B88CB83F33383257A0F9F3AD6,SHA256=050CADFA89608C63656B6388375F27365B6C80C16F23C0437B870CBCDFB2FBB3falsefalse - insufficient disk space 10341000x80000000000000001066917Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:58.918{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066916Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:58.918{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001066915Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:52.813{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32478-false10.0.1.12-8000- 23542300x80000000000000001066914Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:58.211{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5062F08C2239F4F501233034A67298CD,SHA256=B9811437FC71CC4725BF2D80632E03ED30F1F0C1FCF782E22E5EFD1124871294,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:59.971{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:59.971{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F71CC3D27980055AEED1D06B756F4E5,SHA256=55090A0CBA8DF55383D3E3F4F30F251EBCC948AB3858039242A90A9E227F9EE9falsefalse - insufficient disk space 10341000x80000000000000001066920Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:59.918{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066919Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:59.918{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066918Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:59.216{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B70772BE4CA0D0420FB967E09781A5,SHA256=E2CCA4CBF4F82CF33343EC2FF0CBCB1366F8B3DC1BB4A56C60E489C95D88F576,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:00.973{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:00.973{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D3BB3FDFE7294E2CFBFAC6A28D2035F,SHA256=559C39460DFE90F6510F19A82D8FCA9386B1EFE0C62B30142BF3759FCC5A9F0Cfalsefalse - insufficient disk space 10341000x80000000000000001066923Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:00.919{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066922Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:00.919{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066921Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:00.223{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92DFEE0DAFF88D450905D9847561E119,SHA256=2331E1186F1F652642C509C3CDB809DE7CB82C2298E66D2F9FAD3EF62361B2C4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:01.975{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:01.975{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA79857659C42DB1CD5135EF851D2522,SHA256=03F7A729DF64E98D08D65E54F57495F1CDB7126BFF19634FB2F15849B07F0BA7falsefalse - insufficient disk space 10341000x80000000000000001066926Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:01.920{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066925Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:01.920{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066924Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:01.230{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F808994FA88EAB60E365A5D74A30273C,SHA256=0BD1D3D04D23DB476CF0889E8EBC6362538A22A78B0F45205DAC5FB7D5DE44B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:01.211{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:01.211{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07FC860BB41C12A088825F6AB719B9EC,SHA256=325F73D9159C3316952999C9328A4AC85D21645423130EEE66C663DBE069AF90falsefalse - insufficient disk space 11241100x80000000000000001545828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:01.211{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:01.211{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADA30DD99C9DD4845E4150EE997221DD,SHA256=3F52B862F2D4F4AC7CEFB6D2DF4DBD8625301008EAD8BE90C7D1AED275CD74F7falsefalse - insufficient disk space 354300x80000000000000001545833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:47:59.663{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64979-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001066929Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:02.921{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066928Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:02.921{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066927Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:02.234{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB6F75CD535338DBABE4EA49D34B8BB,SHA256=A5CCE196156323F7D64B05D2FA019AF73368FA7168D8B08324EAEE3DBEC52F49,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:03.031{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:03.031{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205C844AE7F466E65F32AD8E624FEB58,SHA256=1B36985065FAF9CEBAE3DECA8D8409AFFE7E2BC9968CB04E2A45108584A9179Afalsefalse - insufficient disk space 10341000x80000000000000001066935Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:03.922{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066934Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:03.922{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066933Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:03.268{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D46AF350928ABE47A88D8E73F5036267,SHA256=73363D3AAE15D2DE3F703C158822DEF9571AF78233946CBEADF96B844B8C6220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001066932Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:03.267{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72329CF878234A66A5A419DDB48C9707,SHA256=4762C30FE876F6F963A25D1F76E5123C3F5F8608AFF074AF8E6AFDBE51DD7868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001066931Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:03.237{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F950945F76B0C826555ACFF1E2146DC,SHA256=6FF3A656014535C34B185943280493F0A45685A0001BC11F2D9A125C85C81374,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001066930Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:47:58.707{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32479-false10.0.1.12-8000- 10341000x80000000000000001066938Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:04.922{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066937Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:04.922{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066936Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:04.243{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB9136F430138809507B78FF62150399,SHA256=2BA341BEE3D4FE4B0E18FDABF342AAAB7EFC595B57570F0844980C6F923EE75E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:04.033{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:04.033{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5C3891425D00B342FA0C29A7DB31FB,SHA256=FDA800C6D4541B90F4DD9F1858E7A015E4A0FC1C4E95BCEDA88B575973B8FDE0falsefalse - insufficient disk space 10341000x80000000000000001066941Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:05.923{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066940Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:05.923{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066939Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:05.246{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21503FB8D92A7F7728F82F51DA84B27A,SHA256=7EF80D88B38EB53078B443111C41917998B53CE0DBF07EB5410EE4539E73939A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:05.067{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:05.067{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E948FDEE60C548CB33B8F8C6341851,SHA256=5F7D498A307F6A7ECB8D903049433037B983A0DE3261F8EDA0A885A0AA29D774falsefalse - insufficient disk space 10341000x80000000000000001066946Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:06.924{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066945Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:06.924{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066944Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:06.250{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7A76A188035E50F559E7CC337963BD,SHA256=4A84895606B3964B69C1C4C7CA13B155B49E731AABEB305BC408667448D9C99D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:06.085{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:06.085{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C44D4E1FD6567DC0FD2E79A2C8BBE61D,SHA256=2FA7FAD92C464CDA2646F495BBE20D703CE62B389BFB42F2D4BC72F5E30FF1ECfalsefalse - insufficient disk space 354300x80000000000000001066943Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:01.490{761B69BB-649E-6080-015D-00000000BA01}3716C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32480-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001066942Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:06.047{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D46AF350928ABE47A88D8E73F5036267,SHA256=73363D3AAE15D2DE3F703C158822DEF9571AF78233946CBEADF96B844B8C6220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001545866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.742{21761711-3770-607F-F339-00000000BB01}6452WIN-HOST-5\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RFb41a720.TMPMD5=FABC111312CD43093B0ECB217784AE61,SHA256=E4C54946B4732E720A02A0F783874B6D71E92ED837209F7EBDA4D14779023557falsefalse - insufficient disk space 11241100x80000000000000001545865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.742{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RFb41a720.TMP2021-04-21 17:48:07.742 254200x80000000000000001545864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.742{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\flby3lsk.tmp2021-04-20 20:22:02.3742021-04-21 17:48:07.742 11241100x80000000000000001545863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.742{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\flby3lsk.tmp2021-04-21 17:48:07.742 13241300x80000000000000001545862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000001545861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,7202269,17102418,41484365,39965824,7153487,17110988,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000001545860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000001545859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000001545858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000001545857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000001545856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000001545855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000001545854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000001545853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000001545852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000001545851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000001545850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000001545849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:07.357{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 11241100x80000000000000001545848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.226{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.226{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74438FA4E43C926AAD7C6AA193F72C46,SHA256=5778B78851A184EA8F8A3EEC5624DC402FD55A0D290495033C38ACAF6B7D8103falsefalse - insufficient disk space 11241100x80000000000000001545846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.226{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.226{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07FC860BB41C12A088825F6AB719B9EC,SHA256=325F73D9159C3316952999C9328A4AC85D21645423130EEE66C663DBE069AF90falsefalse - insufficient disk space 354300x80000000000000001545844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:05.655{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64980-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001545843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.088{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:07.088{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4D74FC629CCD14AB11B03F2C1FB596,SHA256=71BBF223E6E6151C55565984C838D9E9B0D5DAE6ED314A6A40079ABB83A935EFfalsefalse - insufficient disk space 10341000x80000000000000001066949Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:07.925{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066948Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:07.925{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066947Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:07.255{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD6CBF8C834B536EBAF4454E6ED6034,SHA256=30CFEBBDEBC592C915D1B203DE53E59D5A580BC0DA6EBE05690C6F7A3E669A70,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:08.112{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:08.112{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1708BD48F924EC3B3F5DEAC3CF6E8CB,SHA256=785C268A12CB937478469DD9ED5E22967C95D575B2CC1C2D7BBAC3DEE6240F88falsefalse - insufficient disk space 10341000x80000000000000001066961Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.926{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066960Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.926{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066959Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.267{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D43411B04C45465F7A7413ED1B0A7550,SHA256=2BB6A89AA7C69D28AA4B0E32C1639606F9EC151D91456AAB5DE40FAF769CD5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001066958Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.190{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAA97A6E96FD2152E27E58B4941A0479,SHA256=211E2BB3A858493CCC5E5D3BCEF2245F674AF5F823192F4B7638493F8113A8C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001066957Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.052{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6558-6080-185D-00000000BA01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066956Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.050{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066955Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.050{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066954Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.049{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066953Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.049{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066952Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.049{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-6558-6080-185D-00000000BA01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001066951Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.049{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6558-6080-185D-00000000BA01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001066950Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:08.048{761B69BB-6558-6080-185D-00000000BA01}6540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001545870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:09.161{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:09.161{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FD6FEAD3702FDB02A3F52EA3427400,SHA256=E769871378DA4444C8A23CE498AC1351B1C46C4734E70CF1EC69B69D38C73E06falsefalse - insufficient disk space 10341000x80000000000000001066965Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:09.926{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066964Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:09.926{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066963Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:09.272{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA1A82D2629AEFAA4D75F8A6DD86411,SHA256=A73E4CD454D0955303B1512FE5A63DEA7F09F8825118D5912C590316A188024C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001066962Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:03.840{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32481-false10.0.1.12-8000- 11241100x80000000000000001545872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:10.316{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:10.316{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60609275C8B88FD24FF350FE038BF15,SHA256=E824C64EABECF3819F9E48D8B5073990D0D9DA7A24AFFD336A9A32E96080CC0Efalsefalse - insufficient disk space 10341000x80000000000000001066968Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:10.927{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066967Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:10.927{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066966Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:10.286{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E6F0F16A9E16D948466052854591ED,SHA256=EC820B483AFACA83C4EBF8A0C2B682D2C1E941F2C66768C840A2D18E8FD8CD26,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:11.366{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:11.366{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AB277FF5DE25C7C0D4A9C02BCAA615,SHA256=28E99DB3DB4D39AA90FD289D4A3408F5A8E3543EE247EFCCD65A606BC8E84B4Efalsefalse - insufficient disk space 10341000x80000000000000001066981Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.928{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066980Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.928{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066979Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.879{761B69BB-655B-6080-195D-00000000BA01}6864872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066978Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.745{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-655B-6080-195D-00000000BA01}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066977Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.743{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066976Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.743{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066975Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.743{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066974Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.742{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066973Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.742{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-655B-6080-195D-00000000BA01}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001066972Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.742{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-655B-6080-195D-00000000BA01}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001066971Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.741{761B69BB-655B-6080-195D-00000000BA01}6864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001066970Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.366{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8ECA19983C82107D581E1F68F4ADD88,SHA256=3DFF7097D5000E72EE5992D5B4C53FED0990C9E8114D6BAEC3CDBF0D3293C764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001066969Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.288{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72B54F54B0DC4ADDB9C0ADB3641F301,SHA256=CCB8E30CBDA74BEE4D8D3319EFD0E9FD048DA283E2707DDC30103F9FDFFDD4F9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:11.297{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-04-19 13:21:46.711 23542300x80000000000000001545873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:11.297{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B8CC46532F46F47EE32F75B90E1E5966,SHA256=BDF51C347B522E4C843792322F7252049DE5697C48D40748CA37DB6292B92D35falsefalse - insufficient disk space 10341000x80000000000000001066993Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.929{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066992Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.929{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001066991Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.745{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=379CC40E4CD11EE1E73C2ECE176F38F4,SHA256=84D23E80365689B76A010E945B7A54767163A202E9A0783F712D89CAA1DDCE00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001066990Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.408{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-655C-6080-1A5D-00000000BA01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066989Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.406{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066988Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.406{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066987Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.406{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066986Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.406{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066985Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.406{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-655C-6080-1A5D-00000000BA01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001066984Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.406{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-655C-6080-1A5D-00000000BA01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001066983Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.405{761B69BB-655C-6080-1A5D-00000000BA01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001066982Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.297{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B40192EAFD0EE5054D978E33FC9509,SHA256=83ACDC9EFE3850EA56E7FBE7F0B4062BC106F126632555E534FE1D077EBDF21F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:12.369{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:12.369{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F006E3CAA5292D843BD67A11FF13755,SHA256=DA80967548B5C5465253E298F366FBB79DE7058F257D71173CD3C3EBDA07ED57falsefalse - insufficient disk space 11241100x80000000000000001545886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.402{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.402{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C37C5C09E1A6657F85F70D758E8A0A,SHA256=F5B52E822D4EE4A149AF827EDDDCF5E4AE955E57F3AEB485DA974A0F2A90E75Cfalsefalse - insufficient disk space 10341000x80000000000000001067005Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.929{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067004Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.929{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067003Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.307{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E533EBE190179A34F9DD5EBC702D153,SHA256=0FDF345E96F702A2A0C31F936BAC0613B57F5E4E1EB64DD763945503754812B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067002Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.205{761B69BB-655D-6080-1B5D-00000000BA01}59282496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067001Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.073{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-655D-6080-1B5D-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067000Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.071{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066999Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.071{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066998Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.071{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066997Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.070{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001066996Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.070{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-655D-6080-1B5D-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001066995Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.070{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-655D-6080-1B5D-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001066994Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:13.069{761B69BB-655D-6080-1B5D-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001545884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.255{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.255{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E32CA4CD75EF85C4D08657AF066C9D69,SHA256=62657100E188480A69E47FFA6582E462C0080C16ED709B761C6BAC767225805Ffalsefalse - insufficient disk space 11241100x80000000000000001545882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.255{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.255{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74438FA4E43C926AAD7C6AA193F72C46,SHA256=5778B78851A184EA8F8A3EEC5624DC402FD55A0D290495033C38ACAF6B7D8103falsefalse - insufficient disk space 11241100x80000000000000001545880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.139{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000001545879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:13.139{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 354300x80000000000000001545890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:12.693{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64982-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000001545889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:11.691{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64981-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001545888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:14.423{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:14.423{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA7F1670D01BA3AF0B34D14AE8C22EE,SHA256=EA6C7B2F5025685F9B8B34073C41D23E94D27056C6AB430EFD168CA451C785BDfalsefalse - insufficient disk space 10341000x80000000000000001067009Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:14.930{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067008Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:14.930{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067007Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:14.310{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F789164364099ACD7CBE585B0E2AAE,SHA256=08D2A42E2C0ED3F4C27224114929CD89063C3D0E98C9A4ACEAE944CC789F7F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067006Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:14.076{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EAF184B119214700EE139C5D84C5867,SHA256=42759323988E251B7B385C6A6DA4A3DA5F6F4055FFA7718D254A10397263DBC6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:15.445{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:15.445{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56380D90FF94CD367C5CF826A0D7C6E4,SHA256=3A00EA25F923C9FDE30CF63393C45D66F22CB80D5E39995123529C920EC89F89falsefalse - insufficient disk space 10341000x80000000000000001067014Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:15.930{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067013Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:15.930{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067012Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:15.339{761B69BB-818A-607D-0B00-00000000BA01}6324224C:\Windows\system32\lsass.exe{761B69BB-8188-607D-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001067011Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:15.316{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8038C640700887AA15B6962A025BFB,SHA256=F7998395DD1D5B19E58C674068D6B759F4645003C6C591407199149961F191CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001067010Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:09.739{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32482-false10.0.1.12-8000- 11241100x80000000000000001545894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:16.447{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:16.447{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E06F9B61322BB15EAC1D0C5E1461E9A,SHA256=FF37B4C9086B638CF0646990760821EB3B85A9860FEABF70D700A03343B0E99Dfalsefalse - insufficient disk space 10341000x80000000000000001067056Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.931{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067055Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.931{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067054Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067053Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067052Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067051Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067050Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067049Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067048Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067047Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.898{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067046Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067045Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067044Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067043Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067042Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067041Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067040Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067039Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067038Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067037Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067036Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067035Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067034Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067033Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067032Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067031Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067030Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067029Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067028Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067027Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067026Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.897{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067025Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067024Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067023Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067022Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067021Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067020Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067019Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067018Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.896{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067017Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.329{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E9A83391B1E982F1A64B085C9CD5B2,SHA256=4AA2DB7B2DA402DFE14289729C74CD914C10E779B01CEA94A0D9870CF02CF929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067016Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:16.282{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AC136306270C07EA53242178F3EED66,SHA256=09F53B853AD535D2A62F2D23D770E7DFD2F5CAC8D12B100698A533DDAC7C6100,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001067015Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.722{761B69BB-64B9-6080-095D-00000000BA01}4328C:\Windows\System32\dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32483-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000001545896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:17.497{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:17.497{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD602B9F449A38BE52473E9C0708214,SHA256=20552C692092949C15505D93F503CB1DB6EC7BBF1EE60DE8BFF59C1E4A9D0978falsefalse - insufficient disk space 10341000x80000000000000001067069Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:17.932{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067068Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:17.932{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067067Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:17.369{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30F26BAEC9B57C1D542D46F05B4B4FE,SHA256=6AEAA99A38027DD2C23B1E11FF5CAC1D2ECBE42D7C9A835D897624C54680F00A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001067066Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.009{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32488-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001067065Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.009{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32488-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001067064Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.006{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32487-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local49669- 354300x80000000000000001067063Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.006{761B69BB-818C-607D-1400-00000000BA01}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32487-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local49669- 354300x80000000000000001067062Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.006{761B69BB-818C-607D-0D00-00000000BA01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32486-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 354300x80000000000000001067061Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:12.006{761B69BB-818C-607D-1400-00000000BA01}1028C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32486-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap 354300x80000000000000001067060Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.909{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-982.attackrange.local32485-false10.0.1.14win-dc-982.attackrange.local389ldap 354300x80000000000000001067059Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.909{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32485-false10.0.1.14win-dc-982.attackrange.local389ldap 354300x80000000000000001067058Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.902{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32484-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 354300x80000000000000001067057Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:11.902{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local32484-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap 11241100x80000000000000001545898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:18.499{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:18.499{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7748E0A679317DB161D5F2717C040DBD,SHA256=E07CCA4B6BE5C449D8DFEB6BED25547FF4E4F06BEE52AC7B1E5F9E527327B0E4falsefalse - insufficient disk space 10341000x80000000000000001067072Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:18.933{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067071Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:18.933{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067070Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:18.371{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F48D51DD5DCCAACFFF17F58BC38108,SHA256=5FD52B2FD3B1E0BE14815B7B50B78285063D854A7A8187E20FAAFA086CCEB32A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:19.636{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:19.635{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27AFB98BE909A7EDAFC99BEF7E1EF74,SHA256=BBB17846D75EBAAF727C473910BD1658BD583B8EFFD2298A1D07793E4CA4B60Efalsefalse - insufficient disk space 10341000x80000000000000001067077Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:19.934{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067076Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:19.934{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067075Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:19.379{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A633FFBDEB36442220B6D95205F5A4,SHA256=9649E984AB34CF687AA36866569882BA2D66F0A020D4719A722A4ECBE5B86BE6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:19.116{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:19.116{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F5868AE09255B11533851CA5967F15A,SHA256=5C46D4DB86BC8A4398805B258CD0591D1B325F085C2367AA09EBB8DA49654DA3falsefalse - insufficient disk space 11241100x80000000000000001545900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:19.116{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:19.116{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E32CA4CD75EF85C4D08657AF066C9D69,SHA256=62657100E188480A69E47FFA6582E462C0080C16ED709B761C6BAC767225805Ffalsefalse - insufficient disk space 354300x80000000000000001067074Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:14.872{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32489-false10.0.1.12-8000- 23542300x80000000000000001067073Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:19.216{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D26E4BB44E3A4DB6BF3BA605EE885D1B,SHA256=DA43DED23227535D140F9BFFE1F6A5C08D90B37E7BC569F883CCEAE6CBB55AF4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:20.704{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:20.704{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55083B5664770242E0F32A0EB745A8BB,SHA256=06643BD006D04F18F7B837326C6435C3E66E4B21603E26A85519003FB39F97F0falsefalse - insufficient disk space 10341000x80000000000000001067089Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.934{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067088Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.934{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067087Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.914{761B69BB-6564-6080-1C5D-00000000BA01}67165840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067086Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.770{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6564-6080-1C5D-00000000BA01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067085Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.768{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067084Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.768{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067083Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.768{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067082Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.768{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067081Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.767{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-6564-6080-1C5D-00000000BA01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067080Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.767{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6564-6080-1C5D-00000000BA01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067079Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.766{761B69BB-6564-6080-1C5D-00000000BA01}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067078Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.385{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5F64EA61351AC5EF75C53458C97E75,SHA256=C070064A6D3896265D3CA96A8C8C9A3A57BA7FDE26447C984105895BE210227A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001545905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:17.668{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64983-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001545909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:21.707{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:21.707{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48FA38339E22B58C73B0F9AC89392E15,SHA256=4D7CDAF5974B7ADFE5EBDAF2653756ED9C28CA8C23A1F2136EBBF703558984A5falsefalse - insufficient disk space 10341000x80000000000000001067110Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.957{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6565-6080-1E5D-00000000BA01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067109Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.955{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067108Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.955{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067107Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.955{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067106Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.955{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067105Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.955{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-6565-6080-1E5D-00000000BA01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067104Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.954{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6565-6080-1E5D-00000000BA01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067103Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.954{761B69BB-6565-6080-1E5D-00000000BA01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001067102Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.935{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067101Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.935{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067100Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.771{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10DA284C5714153ABA70D1BF49162B4A,SHA256=26813ECE467E2183DA3B2904F607F53C11E3534A26A2ED5E53F88EC96A7593A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067099Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.566{761B69BB-6565-6080-1D5D-00000000BA01}35965080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067098Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.434{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6565-6080-1D5D-00000000BA01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067097Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.432{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067096Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.432{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067095Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.431{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067094Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.431{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067093Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.431{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-6565-6080-1D5D-00000000BA01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067092Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.431{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6565-6080-1D5D-00000000BA01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067091Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.431{761B69BB-6565-6080-1D5D-00000000BA01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067090Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:21.394{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C745CC875F9C3F1688B3522B0240097,SHA256=66108C937133D2CD439C1A0F72B0D7160BF38AD39E07C229757F88EAFA1B3800,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:22.709{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:22.709{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111208F5B1E9D56F7BE3D8230B5F2C16,SHA256=BDB0E30753F8FDA749E6C229D26D7249B827D08CE9CBF07DDE3FB978F56E0C85falsefalse - insufficient disk space 10341000x80000000000000001067113Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:22.935{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067112Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:22.935{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067111Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:22.405{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248F668B5C043AD61F6FAECDA083D463,SHA256=31691FE34D643BEE6F1FD784CEF2404B44DD1082A6467F4455DEA285E513DB8F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:23.711{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:23.711{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EC2A84BCEE200DEEEE0D323D087128,SHA256=5D834361105417E9CD0CF502102AE6258F43800F8F7B99CAD2235D49A9B3F3B6falsefalse - insufficient disk space 10341000x80000000000000001067117Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:23.936{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067116Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:23.936{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067115Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:23.409{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=199D908ED5FAAC7E8421AD42E98D4285,SHA256=AA7BB75EA293CB6D974448354D6B41B7E1946F7705680B1AF1F590308108FB4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067114Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:23.082{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7C31D95416B5A4C5D0198A8D99A6D46,SHA256=C6A720EEEF4B12D12F011747107FB937490CDBAF2BDDA3D6574E3046770D3728,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:24.714{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:24.714{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB5EC3FA6CC7F665257741B88D3C420,SHA256=D924F59840B34A305DE5B02061C2840877100D1C7AECCEEE68DEBCC670513199falsefalse - insufficient disk space 10341000x80000000000000001067120Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:24.937{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067119Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:24.937{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067118Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:24.425{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226F4C7F60046670BC4516E8FAC2D392,SHA256=0CCB5D5D03676097941AE2EF9BF718CA9114DC93D12FCD62FC28088060BE2988,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:24.128{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:24.128{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=063AA9D703CECCC7BB78D28763BA9D6A,SHA256=15786BF11C6DD591B384E0317B0295AB4CDA88480BA8454067A1123A5BE2731Bfalsefalse - insufficient disk space 11241100x80000000000000001545915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:24.128{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:24.128{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F5868AE09255B11533851CA5967F15A,SHA256=5C46D4DB86BC8A4398805B258CD0591D1B325F085C2367AA09EBB8DA49654DA3falsefalse - insufficient disk space 11241100x80000000000000001545922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:25.716{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:25.716{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9988B3A0EC1BE79F776A0F1595C729,SHA256=90E3BF0236D6B7868046D8A5A1BF1C87F560F7E9BB669AC4BE10241848EC2D08falsefalse - insufficient disk space 10341000x80000000000000001067126Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:25.938{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067125Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:25.938{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067124Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.749{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local32490-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001067123Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.749{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local32490-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 23542300x80000000000000001067122Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:25.429{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A54F0C8781A78FFB4F80B5F6F3EAED,SHA256=BF22267C347EE74AA72F5A490998496D6E994A3FD9D804A2D889F3E37315BAA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001545920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:22.679{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64984-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001067121Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:25.086{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16F8A9470F48F63CC64F301619A82D7B,SHA256=617F2081CE1A921D1CABBF1D5334B96FCBB8BB5E1B1C59F3B28EF9FFCBFEAACF,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000001545930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:26.988{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001545929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:26.988{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001545928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:26.988{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001545927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:26.988{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001545926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:26.988{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001545925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:26.988{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001545924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:26.718{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:26.718{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCC4E47CDCC7A11A834A0409A877CBF,SHA256=9BB628EBF91ADDC584CEBE72B5DBC950FB72DF30B7BC5CB5F11DF8C95BBED55Dfalsefalse - insufficient disk space 10341000x80000000000000001067130Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:26.938{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067129Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:26.938{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067128Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:20.763{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32491-false10.0.1.12-8000- 23542300x80000000000000001067127Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:26.434{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B8FD8E192C0AB49AED6DD1DFF24765F,SHA256=167DAF936BC84427E4C187C0A23259896417CAC4CD9B20698ABB9F76ABF0D6EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067134Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:27.939{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067133Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:27.939{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067132Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:27.446{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8889BED88D89CF153B380F1B25771589,SHA256=680B6D4C603D1F23683A512731E3AD8E8BB23F9764EA319E783C65E07EBC3277,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001545980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.135{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001545979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.135{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001545978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.135{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001545977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.135{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001545976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001545975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001545974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001545973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001545972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001545971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001545970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001545969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001545968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001545967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001545966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001545965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001545964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001545963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001545962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001545961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001545960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001545959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001545958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001545957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001545956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001545955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001545954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001545953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001545952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001545951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001545950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001545949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001545948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001545947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001545946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001545945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001545944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001545943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001545942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001545941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001545940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000001545939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001545938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001545937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001545936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001545935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001545934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:27.003{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000001545933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:26.988{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001545932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:26.988{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001545931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:26.989{21761711-656A-6080-415E-00000000BB01}4300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067131Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:27.050{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=085D68C482CCE452F21C4A46E809AF15,SHA256=14CF9C9BC619401F37AE0D144E21BE289F635389CC3E060D6DDBCAA9DDB6F4F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067137Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:28.939{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067136Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:28.939{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067135Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:28.452{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80170B4B4CA0958F486A9B53289C8B0C,SHA256=755E2EA86E41953ED82900B96DCB96A32825217E744015D670BC509FFAB6B083,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:28.090{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:28.090{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7623D0F06B9A880AA2E988F06C91FB6,SHA256=D1195A5795C6C25EE9039B27300C76133D7C6C4617711E3C7BBFBEABCED9E207falsefalse - insufficient disk space 11241100x80000000000000001545982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:28.090{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:28.090{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=063AA9D703CECCC7BB78D28763BA9D6A,SHA256=15786BF11C6DD591B384E0317B0295AB4CDA88480BA8454067A1123A5BE2731Bfalsefalse - insufficient disk space 10341000x80000000000000001067141Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:29.940{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067140Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:29.940{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067139Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:29.839{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067138Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:29.455{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08ECA65675B6B0E31311C4E5D972332A,SHA256=FDD2974F217A0979FE6446569EA521C9BC2A8C9D04D550DC1206F3F294CAC4D2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:29.108{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:29.108{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CEB23B1878D77235CBE4CDEA9AB994,SHA256=E9F65447A1599E1274E8C9E03B57FA9D1BE50A1143F1F1FBC8ED9C2C640CF82Afalsefalse - insufficient disk space 10341000x80000000000000001067146Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:30.941{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067145Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:30.941{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067144Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:25.885{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32492-false10.0.1.12-8000- 23542300x80000000000000001067143Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:30.465{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D042CF2609E0AF56C6C413632C9B286,SHA256=EB5D1999FBDBF0B251C8AE18566FC84ADD2E82FE9B8D1CB974EBFD45087A5BC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001545991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:28.647{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64985-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001545990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:30.195{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:30.195{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A285351DF73411A63614582E9DEAF5A,SHA256=DF671C31D0EDE61514575CDD736F82B3AC11C9633B99A05C0607BFAD82C3AB2Bfalsefalse - insufficient disk space 23542300x80000000000000001067142Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:30.225{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D4BBCFF5DACBBFB97096658BFA89629,SHA256=48DB03F17B01D49A45E453D2018435D82CB9A45BAD7C8BA47F2B9753E26F8C48,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001545988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:30.095{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001545987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:30.095{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B2121C1400A27D87247ADE57556C4EE,SHA256=0B6337CB7FDA1AC6AB951E08828BA70B9F1305F74FD3D3197CDA2F9C3C8A56BDfalsefalse - insufficient disk space 10341000x80000000000000001067150Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:31.942{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067149Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:31.942{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067148Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:26.494{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32493-false10.0.1.12-8089- 23542300x80000000000000001067147Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:31.467{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B02413B625F5FFC9C3DF36D9C09E004,SHA256=09576B36D5D5469FC530B48325B5AE1D0004FD6E7D94466280FD8FFFAB914BA4,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000001546059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.984{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:31.984{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.984{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:31.984{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.984{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:31.984{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000001546053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.445{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001546052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.445{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001546051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.445{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.445{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.329{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001546045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001546043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001546038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000001546015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000001546013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000001546012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001546011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001546010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000001546007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000001546002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.314{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.298{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.299{21761711-656F-6080-425E-00000000BB01}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001545999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.298{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001545998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:31.298{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001545997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.298{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001545996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:31.298{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001545995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:31.298{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001545994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:31.298{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001545993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.266{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001545992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.265{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D55347C321E26B2535C70056416C45,SHA256=EB7B22F853FE5744A8742728A4A4B43E9C938EF3881D95B72B10609B77D0E3CBfalsefalse - insufficient disk space 10341000x80000000000000001067153Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:32.942{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067152Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:32.942{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067151Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:32.475{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF7BDC4BDA29126BBC9F4E3FB744DF1,SHA256=D3F97CBB180278D06F7E835A6368FAFF4E31068D73D74FC037E602777860AABB,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001546172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.648{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001546171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.648{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001546170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.648{21761711-6570-6080-445E-00000000BB01}46486496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.648{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.648{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001546163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001546161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.532{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001546130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001546129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 11241100x80000000000000001546127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 734700x80000000000000001546126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 23542300x80000000000000001546125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551D919C2F196F3433AE5918103887D9,SHA256=A45FBEA6E973716F12B0775FACC6CC7B01954D8C359D436A6BE88AC967F2C58Efalsefalse - insufficient disk space 734700x80000000000000001546124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000001546122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.516{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.505{21761711-6570-6080-445E-00000000BB01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:32.501{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:32.501{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:32.501{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:32.501{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:32.501{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:32.501{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001546113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.501{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.501{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE862B409A53A63A59352FAFC85384B,SHA256=7A1FD1376B8AE13841564E416DF67E52BA26A79C4A2D2F18B647839898BB419Efalsefalse - insufficient disk space 11241100x80000000000000001546111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.501{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.501{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BCA692691709197280638EF90394802,SHA256=4420BFCDFF1019AFCDF49AEE775F94E94A77D6E96702404AD2E6C8463CF983FAfalsefalse - insufficient disk space 534500x80000000000000001546109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.131{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.131{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001546107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.131{21761711-656F-6080-435E-00000000BB01}24447840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.131{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.131{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001546067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:32.000{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001546062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.984{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.984{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:31.985{21761711-656F-6080-435E-00000000BB01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000001546286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001546282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001546280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001546275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.888{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001546260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001546248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000001546243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.873{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.867{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.866{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:33.866{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.866{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:33.866{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.866{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:33.866{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001546234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.650{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.650{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5791FCEDB2F1F33FC419E41B002480,SHA256=CB47CAEBBD8E3215508FCEE643DD08D151EA4A2C796A42F575F55E0D8179E1ADfalsefalse - insufficient disk space 11241100x80000000000000001546232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.635{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.635{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A528408AEF384919652DFBFD468C9133,SHA256=3E1C4A8BDFA284AED996AC5BABDE316D99884FEE2BEB2BF197FD6AEB538F578Ffalsefalse - insufficient disk space 11241100x80000000000000001546230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.635{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.635{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59456862C8011FBA1F3B5F9B38C9610F,SHA256=D7364D93D5AE121932DE4C0CDF97C3AC4EB611DE7C07774628B9857915D57BB2falsefalse - insufficient disk space 10341000x80000000000000001067156Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:33.943{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067155Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:33.943{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067154Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:33.478{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433CC2AA7EA2B6739B2A1C7AAEEF02F1,SHA256=FCD57ACB099107E94B1B94C25F34BB07ADE6530A93E54D138E1CC6A56C77406D,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001546228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.334{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001546227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.334{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001546226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.334{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.334{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001546220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001546218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000001546209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001546190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001546186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.202{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000001546181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.187{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.187{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:33.187{21761711-6571-6080-455E-00000000BB01}5464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.187{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:33.187{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.187{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:33.187{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:33.187{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:33.187{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001546352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.938{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.938{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41B79330CDF0BF1DCA6E89F36F786246,SHA256=00E2A0728DAD95DC13B2959FFB3BDFCF4983A214352F823B1A10F3D577160F8Cfalsefalse - insufficient disk space 11241100x80000000000000001546350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.853{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.853{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4ABA5CA80CEF2DF283A65C0F618E0D4,SHA256=00E3A266F9171B4FF975CAC1F80ABA69FAE0A7D18A8319E0755C0CC60B6D5EDDfalsefalse - insufficient disk space 11241100x80000000000000001546348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.838{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.838{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D494D5B4FEB0021490E81410F15DFAC,SHA256=F22FE499D078034A655404737F49F335554E191F933EFF531D2C878C9CEF6C11falsefalse - insufficient disk space 534500x80000000000000001546346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.706{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.690{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001546344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.690{21761711-6572-6080-475E-00000000BB01}59327368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.690{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.690{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000001067159Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:34.944{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067158Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:34.944{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067157Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:34.485{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9245EC2818512C5881C9CA4D84053F7,SHA256=E2C0A09755CBAA75D257C0CB2977BF9A531293251145048BC6E26B73ADA3250B,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001546341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.575{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.574{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.574{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.574{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.574{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.574{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.573{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.572{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001546304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.571{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.570{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.570{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.569{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.569{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001546299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.569{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.568{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.553{21761711-6572-6080-475E-00000000BB01}5932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:34.552{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:34.552{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:34.552{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:34.552{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:48:34.552{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:48:34.552{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000001546290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.020{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000001546289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.004{21761711-6571-6080-465E-00000000BB01}70204600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.004{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.004{21761711-6571-6080-465E-00000000BB01}7020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000001546354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:35.708{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:35.708{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=253D5FB8A521733EDAFEAF6B5A40BCCF,SHA256=AD63F9D9A5379D4864025CAFAC610E85CD9ADEEC5D1DD99E584A781F9885046Dfalsefalse - insufficient disk space 10341000x80000000000000001067164Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:35.945{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067163Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:35.945{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067162Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:35.734{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8864AB5EAF1C50E0F778D64492CC1FF2,SHA256=0F32C48A3F6857029B6924D179C9E0DE0511292E9848E7E7D9AD4877C9647F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067161Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:35.733{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C88579E98A1B3057970824D2DD0F89FE,SHA256=302221741E759D2CD4083B6ECBE81947443BA642DD6904068B3CF37EB3A756F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067160Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:35.487{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED87C1740C9727C58EF9D6FB432BA01F,SHA256=B3B7B3F48A3B75F90D9794E7E9CBCE1ED8478A90CED46E5067BDD080BC57C1FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:34.676{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64986-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:36.710{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:36.710{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC13A5F7BE274A26652AC9DE42F58229,SHA256=A683CA8B658A066A874EB6036E28AAC5D2CB5C8C8C906D9A29FFD11F8F02B2D4falsefalse - insufficient disk space 10341000x80000000000000001067169Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:36.946{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067168Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:36.946{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067167Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:31.767{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32495-false10.0.1.12-8000- 354300x80000000000000001067166Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:31.396{761B69BB-649E-6080-015D-00000000BA01}3716C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32494-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001067165Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:36.492{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8905DA751201E8C130452679E4C8FF,SHA256=C75E4968AAC0C538EAD663C5CFA245394CFBCBF1FEBDE42477DF789A5033D9DB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:36.125{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:36.125{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40E514F42414CD60F6864C971533CB13,SHA256=5EFABF2C7B51FD0813350878C03FD919C829CCC09F82449400357DCF3C669F3Ffalsefalse - insufficient disk space 11241100x80000000000000001546364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:37.778{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:37.778{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED1DE77DE0734779AC1EFB0AAEF5483,SHA256=372C150E4FE14248823463085C9EB8F6FCDE64FE54DE544313EDC3FDE7599D5Bfalsefalse - insufficient disk space 10341000x80000000000000001067172Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:37.947{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067171Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:37.947{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067170Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:37.507{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B56055903DA5080D0AD17B99557BE37,SHA256=95218F3225B354441837E3860AF696A1AB266E2A62723EC49AE1E3822EBB9901,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001546362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:48:37.111{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001546361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:48:37.111{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001546360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:37.111{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001546371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:38.831{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:38.831{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6E71C608CA4EEB345D353A726D5125,SHA256=B780A981C921B05938C98D6ABB54751F70B8C53F6D8551DF66CA241857AEA198falsefalse - insufficient disk space 10341000x80000000000000001067175Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:38.947{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067174Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:38.947{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067173Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:38.510{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04856DD9975F71CCEEDFED93DF830B5F,SHA256=62A8C1BDA6EA86E93887FEAA5308B1CFE2F4F7DDB8760502C07A7EDFB1B02280,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001546369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:48:38.214{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000022038A\VirtualDesktopBinary Data 12241200x80000000000000001546368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:48:38.214{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000022038A 13241300x80000000000000001546367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:48:38.145{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001546366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:48:38.145{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001546365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:38.145{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001546373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:39.833{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:39.833{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BF2D5E76923A8C241A1019A7EE9C24,SHA256=46E7D56CB9F2149E00C85ADE0B88EC5128C38138EFBFE7A9853AAAEFDD0AC846falsefalse - insufficient disk space 10341000x80000000000000001067178Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:39.948{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067177Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:39.948{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067176Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:39.516{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2FE3DB7399B6635C5CB047528E357BC,SHA256=28047A9779CBAF7E4A03FDF5FD7B6EFD9796B9648532A8D5B2587E4B0A8C4610,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067181Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:40.949{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067180Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:40.949{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067179Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:40.519{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0190A470205F0B8039712F7A0AF0C7AD,SHA256=71A33189FBF6EAADB9B9ADE1C782967583EE889E5F0C4FCDD62A3AFB3A21A99E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067187Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:41.950{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067186Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:41.950{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067185Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:36.909{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32496-false10.0.1.12-8000- 23542300x80000000000000001067184Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:41.522{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CE833B8787645F10F10DE3603CDE46,SHA256=E1C4C4BC8D86FE133CA76131A05A6317EC5BF5A228C9B0DB0037C48A38C791BC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:41.188{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:41.187{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C43710642D1876780EAA09C6C9FEE54,SHA256=8E5431D469600DCCDA5853875723465FAE7CB4F9045627C8F53938890CF877D9falsefalse - insufficient disk space 11241100x80000000000000001546377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:41.187{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:41.187{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E09EC093240FD147DE70E07A11BDF54F,SHA256=9258931434F8C18D097462716D4F763D63B3A69E2763D888335987DCA0DBB81Dfalsefalse - insufficient disk space 11241100x80000000000000001546375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:41.068{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:41.068{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7136B04A308956BEFF7BD04103972F4,SHA256=ED5103234EDC09E7E0ED16A0EA5606C120D766E76E1BED622F0DD183AE5513FCfalsefalse - insufficient disk space 23542300x80000000000000001067183Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:41.333{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8065E252578666B0CE47DA5D0185C455,SHA256=85488E6179464CE3E9C88F638047A600783491ED512BD0134085147057748F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067182Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:41.332{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8864AB5EAF1C50E0F778D64492CC1FF2,SHA256=0F32C48A3F6857029B6924D179C9E0DE0511292E9848E7E7D9AD4877C9647F7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067190Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:42.951{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067189Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:42.951{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067188Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:42.525{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB167FD4BCAD5F5A6D9C7068E48F8BB2,SHA256=B54CBDDAECBD3238D2E5660A9118B4816C9F57E30C8DC4FA6FC9E7943C00B884,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:39.719{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64987-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:42.070{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:42.070{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9D41CDD9D1837C0C2384C3894B6D43,SHA256=3CEB27A837E39B9F8E2E1D239D05BA4CD439441FB6FF69AC569BEA94510B713Afalsefalse - insufficient disk space 10341000x80000000000000001067193Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:43.952{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067192Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:43.952{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067191Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:43.744{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE0F241724DEC4BB706C58C538788C4,SHA256=5878507B23BFA7EAFC3F29C6684267294D3092691176C5F737D9579D48DE027E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:43.191{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:43.190{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F729D38BC759E096E68861FF4B0B8381,SHA256=9077B8EC5FD0375003461CBD59B636A8AEBABD0895AD6DF8C72F7F58A2BAB5BEfalsefalse - insufficient disk space 10341000x80000000000000001067196Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:44.953{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067195Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:44.953{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067194Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:44.747{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C99127AB0CCF0538C7AA08007E3B4096,SHA256=BEABEB28D956931CD25682130321E31C8A306069C221B4E5979AE37EDE06A882,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:44.193{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:44.193{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E4F6C745CE64128133FB171B8EDE88,SHA256=05999F0B485008823F3AD1DBA319A4C87F8576AE13E9D8B7B291B4FD0D916AE2falsefalse - insufficient disk space 10341000x80000000000000001067199Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:45.953{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067198Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:45.953{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067197Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:45.771{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C57C5D4D3010DC7308593C9D45C5A72,SHA256=5DB3D42EBEF4C22A1E6AF34F98ECB3177C93D6D93F3886A40982BD7667CE8C1A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:45.196{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:45.196{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA7A1F8E43F953D234C64127BE99880,SHA256=480DA90A65FC3439D1049FE53064F24117E9E8F796BC73E9BB1B43131A3DBF13falsefalse - insufficient disk space 10341000x80000000000000001067209Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.954{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067208Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.954{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067207Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.777{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8260B5E0624C5BA6AC9340607C557DD0,SHA256=7B5D9C804B7706A57A095F70AB4AD0EE9F5DB18DA3ACC1F08E69AB7257BAF613,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:46.199{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:46.199{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49DBCE01FCAB7F6AB7047D06BB06D00,SHA256=DA447779D5CE757104FCB6FA36E88B15C94C81A6A3F4E6E0B94975B9E0E1FEDBfalsefalse - insufficient disk space 10341000x80000000000000001067206Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.139{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067205Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.139{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067204Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.139{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067203Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.138{761B69BB-84D3-607D-0403-00000000BA01}3725160C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067202Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.137{761B69BB-84D3-607D-0403-00000000BA01}3725160C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067201Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.137{761B69BB-84D3-607D-0403-00000000BA01}3725160C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067200Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:46.137{761B69BB-84D3-607D-0403-00000000BA01}3725160C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067215Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:47.955{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067214Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:47.955{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067213Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:47.785{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385E04C9FA7C011DA58F5EE3B46441D9,SHA256=981E30200838557838FE6E0E8D011A84967070B0989A87306B8379E0BC4D5E44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:45.703{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64988-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:47.336{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 11241100x80000000000000001546395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:47.336{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:47.336{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0623B6026CA96A6198B2EB41050588C4,SHA256=84157CF9DF08E06FF71D951108650231AC4555D016F263685B4C23639ADA3965falsefalse - insufficient disk space 23542300x80000000000000001546393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:47.336{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCE10E2B718DE5EB78FE8D4A3E958D1,SHA256=61CCF704A69FE9C01C95393853A5151F8ABC6216361E7FAEF710066711760A5Ffalsefalse - insufficient disk space 11241100x80000000000000001546392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:47.336{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:47.336{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C43710642D1876780EAA09C6C9FEE54,SHA256=8E5431D469600DCCDA5853875723465FAE7CB4F9045627C8F53938890CF877D9falsefalse - insufficient disk space 354300x80000000000000001067212Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:42.787{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32497-false10.0.1.12-8000- 23542300x80000000000000001067211Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:47.121{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=061214CF3B4DA26659A24E894369F9B9,SHA256=63C45F018CDDE729F9E49D7A308B483F5DDC58E4950E543814292339852DD003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067210Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:47.120{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8065E252578666B0CE47DA5D0185C455,SHA256=85488E6179464CE3E9C88F638047A600783491ED512BD0134085147057748F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067219Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:48.956{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=12EA87B1E6DB9890B50620DE12FDD4A8,SHA256=A7304C2DBF51AAB73F952FB72D5CD5A93F3C29AEABFDF4BE9CFFE7F6C3E554AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067218Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:48.956{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067217Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:48.956{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067216Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:48.788{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69465A5B7F37E4CA20D898F19600464,SHA256=CC47A25015CB1B3480604A7E8AD68432A8D4B73B9862C689396A2BFAFCF213E0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:48.423{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:48.423{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7B1F48FDCD5CABC4026B734DDBFD73,SHA256=0E317521CD8EE7B5B4D20B8CD327B86640F89471E1AB8B5A3CF7B1AE50F79190falsefalse - insufficient disk space 10341000x80000000000000001067223Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:49.957{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067222Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:49.957{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067221Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:49.797{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A236720BE5D577564A120C70B307F7D,SHA256=63DFE632D512922ECBB5B3BCB43517800681BABE05B1AC34B09054F5B86E1CC8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:49.457{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:49.457{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFD959B11D927F6805F14EE91D81179,SHA256=BB00D534FCE89FCB6D6A6F098AEAFF0C9283875ACA3B211ED3DBED6D4E2909A1falsefalse - insufficient disk space 23542300x80000000000000001067220Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:49.526{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=061214CF3B4DA26659A24E894369F9B9,SHA256=63C45F018CDDE729F9E49D7A308B483F5DDC58E4950E543814292339852DD003,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067226Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:50.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067225Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:50.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067224Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:50.808{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ABCFE12938E6470B7DE660C098FAC62,SHA256=04D736508DDA2537DFFB9C5C046262BCDF200F365D3C776327B70044B23BEA6F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:50.508{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:50.508{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43A61BF41738F8CEE028CF01393AD592,SHA256=547136628C06D1CA09AD1B678C47149E159EBFAC08BABAB44B47C836E9000D89falsefalse - insufficient disk space 10341000x80000000000000001067231Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:51.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067230Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:51.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067229Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:51.820{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDB2378F7EE7A50B764EB101AFB77DF,SHA256=A01650646AA218C8BE9101DC6E2D37598CD1FE7407E6ECAD91BF2E07A5176B99,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:51.512{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:51.512{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1BFA847BE7A81C4E3FC2CD69ADAABA,SHA256=E02B5A0FD925312E275B2350BF785EC0B9456F3D5647CAB30E3206A9C0E35E81falsefalse - insufficient disk space 23542300x80000000000000001067228Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:51.369{761B69BB-646C-6080-FB5C-00000000BA01}5716ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-16\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio15518224995390932516.tmpMD5=AB93A489F8BDB3A5D88E43E9F0CE51E1,SHA256=3D23E28DDE1CF81CD868567E5F0DE637F04D41C9B624B24B4A85729A748CBF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067227Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:51.336{761B69BB-646C-6080-FB5C-00000000BA01}5716ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-16\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio6313555939343990966.tmpMD5=BAADE56E37F86B9B425892758602EC26,SHA256=34FB07B1874FD9CEA3C4D5D94999C3F2B1921E9B93805DAE30BB36E8255038E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067236Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:52.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067235Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:52.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067234Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:52.827{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B130B05A70B43544C16648F6AFCBB1,SHA256=1366461F780DC8B2C87437C44F171AFDC7A0D9FA70DCCF1D4EFC8D39C64C6C8B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:52.533{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:52.533{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DBA52A711935AE8CF50DB08D767EED,SHA256=8A8F3423341B68059167DDF83E98D72BC9459DA89F1222D03FC9347256CBE30Bfalsefalse - insufficient disk space 354300x80000000000000001067233Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:47.493{761B69BB-64B9-6080-095D-00000000BA01}4328C:\Windows\System32\dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32498-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001067232Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:52.055{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FA74C1D39EBF830DE524E6DD36ACE81,SHA256=CDF247D972C76C3D6C7CAB299C424B2E55746FB0AAED7713429A6F6B070D67CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067241Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:53.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067240Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:53.958{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067239Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:53.833{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27049F8451D0612AE8AFAE46469CF1D,SHA256=8E424B5414D70B1C463B777E8263EF1D75D29A7D568A4AE883361E6F3A5067F7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:53.636{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:53.636{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F30348CEB5828763D6DC2F62C503A0F9,SHA256=06207D01D2E8205FCAC303B6779ED291568B0066EDBB80693B22FD89B8600BD2falsefalse - insufficient disk space 354300x80000000000000001067238Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:48.677{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32500-false10.0.1.12-8000- 354300x80000000000000001067237Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:47.502{761B69BB-64B9-6080-095D-00000000BA01}4328C:\Windows\System32\dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32499-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000001546411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:53.135{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:53.135{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31138A48AAB0888041EDC776E4EC0B3F,SHA256=765493F45A3E7FCDD0BA94B37D42931CF5317221CE48A51CF1ED5F9028173FF4falsefalse - insufficient disk space 11241100x80000000000000001546409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:53.135{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:53.135{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0623B6026CA96A6198B2EB41050588C4,SHA256=84157CF9DF08E06FF71D951108650231AC4555D016F263685B4C23639ADA3965falsefalse - insufficient disk space 11241100x80000000000000001546416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:54.669{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:54.669{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D48F14C51775CC87AF2029A9DE51BD3,SHA256=6EA1924724ECF51D6A3A2E1D1CD8A2CEC6CD166CFA4C80D0FB7BCFBA4A603262falsefalse - insufficient disk space 10341000x80000000000000001067245Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:54.959{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067244Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:54.959{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067243Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:54.836{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDD84D895368DF25500018AE80459B6,SHA256=8B92109EC1617CFB1B24A6C7B5150BF1CE0BB665802E3101541E081A81F2C130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067242Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:54.518{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CE3D8E594F1053EAF1A10104AC752DE,SHA256=DDFDFBCF15C03580B4E6EC46AD4DA0181804BF87BB62317863E92F66CC7F9570,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:51.686{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64989-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:55.672{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:55.672{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF444B9AD103A29CB28C0219C0009A8,SHA256=BD7C2045A74B52ECBCA088343CF43CAF88AC2CA45486BF8E985F8639336AF0B9falsefalse - insufficient disk space 10341000x80000000000000001067248Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:55.959{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067247Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:55.959{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067246Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:55.838{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A956CC6A96FDBEDA1AF6CBE1F1E0813,SHA256=9F371DBB79C33DBB39BAD2FC9594FFB1B2F786F9C30F100FD419E72DB80B1A7F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067251Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:56.960{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067250Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:56.960{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067249Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:56.846{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21FD65932FFCB92D7F53B1FF55A5EADC,SHA256=F28EEF4D8E53D7931D32CDC84D1EFD6FA8938A40F8057F148D4D966E906E6A36,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:56.674{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:56.674{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB36F2253806FEB49407028623E40EC,SHA256=7C2B0285FC4BC372687E65EBCFB622F389BFA4A14A858714D0ADCA3ACF7B9759falsefalse - insufficient disk space 10341000x80000000000000001067254Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:57.961{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067253Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:57.961{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067252Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:57.851{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE2574BB207C82839E185546D7CB7F6,SHA256=D55E7619999EFA6B3D63221ED5B21A5ACB6A0CA7BE558B984895CA0DC70169B0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:57.708{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:57.708{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75851518103BF7EB4E0E7892C5F982B6,SHA256=0F0F62E4D8AA8F4CF819A0ABF898B0E4950FA58D81B620419E6A91103B0FE40Efalsefalse - insufficient disk space 11241100x80000000000000001546429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:58.795{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:58.795{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=384A0459183D4AB6652D16E93FFEC6C3,SHA256=301B5BD3AF951E3CB53230B627B4586695832C395697F527D4987053591773C8falsefalse - insufficient disk space 10341000x80000000000000001067259Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:58.962{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067258Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:58.962{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067257Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:58.868{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1BC55A092541D54A5B6397C30CDF3D,SHA256=826F1B916247DAA3FE669B812D6AC5B37DD3F52393B62E40523108187957D4FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001067256Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:53.802{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32501-false10.0.1.12-8000- 23542300x80000000000000001067255Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:58.152{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CBC7F3C03D81B27DF2DF9DDA59D178B,SHA256=DAD753219E31693EAAA92E8AF364608CDD54417380944396646FF699A5255927,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:56.698{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64990-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:58.294{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:58.294{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=444DA4ECA64853ADBFAA1145D21EE838,SHA256=A1144CFCA718AC4F9900D808EF37CACFCABF9120C433A1564AD0FCB67140C4A2falsefalse - insufficient disk space 11241100x80000000000000001546424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:58.294{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:58.294{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31138A48AAB0888041EDC776E4EC0B3F,SHA256=765493F45A3E7FCDD0BA94B37D42931CF5317221CE48A51CF1ED5F9028173FF4falsefalse - insufficient disk space 11241100x80000000000000001546431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:59.966{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:48:59.966{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF62AF2F99F35774385708C9B8DF3DA1,SHA256=96B6A3F8983EEE427E215B04350B5A9FB9823735FC9628EFF202348473896B63falsefalse - insufficient disk space 10341000x80000000000000001067263Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:59.962{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067262Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:59.962{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067261Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:59.876{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C5017D4CAD5CE290DDB85C89C98A77,SHA256=7C0E25D3D86BDFCC81197CBBCC839DDA6D2DEB98ED8818531CD54F14AE05B987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067260Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:59.425{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4432D112F1729BCA52A71D6B569AF184,SHA256=8F1C758924624D5A135BAB1429D9AA07B3C2AAF9AA346E20D145EABC2CD05EDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067266Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:00.963{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067265Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:00.963{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067264Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:00.883{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8948BEF8DE252CC4B68BDB7B3379EC9F,SHA256=D147D16CB4EA02D032F0FEA342E6930B0BA507C6823AB2B8B47CA990CBD9C0D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067269Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:01.964{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067268Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:01.964{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067267Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:01.887{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F79CDFD9B27221D78B997C0C7B07F73,SHA256=8CACF3407615F2F550E623B7B08670985A8DB001A2DDF3CA9E4158B891139233,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:01.075{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:01.075{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2943BB72DCE6B091C9444A21EB8F60B6,SHA256=9DE1E1974D799201D556A1056A88E75FD8D904EC2942173E89CF0A040EA50BEEfalsefalse - insufficient disk space 10341000x80000000000000001067272Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:02.964{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067271Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:02.964{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067270Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:02.890{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1260723EC9F10E83F9388C401B38D083,SHA256=EB15BC244F38FA4476919C96724436B9BACDA4A22C858D550B9B3E54491CFEB1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:02.303{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:02.303{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7B66A6CCA2F43CF3DE52158F70D5E6,SHA256=EAE271B9D7A69F71319288248D76907AEEF1840C1D6F7A8C1052AB0379E110AAfalsefalse - insufficient disk space 10341000x80000000000000001067275Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:03.965{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067274Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:03.965{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067273Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:03.892{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0831D1966259EC063E4ABB1928A66518,SHA256=886F3F86FBC1DDD29DF985512B7932BA8B651201B463BEE5E0DCD051C3C0A952,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:01.772{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64991-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:03.359{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:03.359{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B57581B80851BB90B7E8226E6840B0BF,SHA256=356D1B4761B19A1D7CA2651D547AA13E38CE5DA2B244D544CFF9484CCAA3B25Dfalsefalse - insufficient disk space 11241100x80000000000000001546439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:03.359{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:03.359{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=444DA4ECA64853ADBFAA1145D21EE838,SHA256=A1144CFCA718AC4F9900D808EF37CACFCABF9120C433A1564AD0FCB67140C4A2falsefalse - insufficient disk space 11241100x80000000000000001546437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:03.321{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:03.321{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9EF8DAFF66A87FBA681ADCA6AD4611,SHA256=62D1812AE51649DB1D6C3B65C4FAAEC07CFCD8975C5CCD1E586C00524EA864B2falsefalse - insufficient disk space 10341000x80000000000000001067280Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:04.965{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067279Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:04.965{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067278Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:04.902{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204440512D90F1039EE250DDFD746614,SHA256=784D9C8268559B6DEF9E22653A508C8AB90A1AD0D6F517C6B4B892055EA85CCC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:04.323{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:04.323{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CB52822CE08EC902ADC915B49D1778,SHA256=5AC0AA00D13AD1511E99A0CC14C25786EE0A2CD630BDBF9D575BF3C343D8792Ffalsefalse - insufficient disk space 354300x80000000000000001067277Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:48:59.688{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32502-false10.0.1.12-8000- 23542300x80000000000000001067276Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:04.019{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=606243D6FEF0786574A4130626EE8D5A,SHA256=EC5CED6C510BC471FDDC2992FE744D2315A29F7988E7A092B0BBA297E623D1C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067290Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.965{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067289Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.965{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067288Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.922{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AFEE46922A52C8D8F4A88181E60CCF,SHA256=87C7EA377442AE7F6339E21E39B46FE3D905F2F81AE0952FDAD8F377AA370679,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:05.326{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:05.326{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D687FE4D91F960B64362427DAA316C94,SHA256=5F5B45CA72EBE5B724573FE9688BC3DDB65916664C12628E881EA441688C4031falsefalse - insufficient disk space 10341000x80000000000000001067287Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.614{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1500-00000000BA01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067286Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.614{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1500-00000000BA01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067285Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.614{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1500-00000000BA01}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067284Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.459{761B69BB-84D3-607D-0403-00000000BA01}3723268C:\Windows\Explorer.EXE{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001067283Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.459{761B69BB-84D3-607D-0403-00000000BA01}3723268C:\Windows\Explorer.EXE{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067282Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.459{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb4abaac.TMPMD5=95E355D75CB9B0A6D076CE414DF2B1F4,SHA256=0C9CCEB014A154B30949E1761541EBBD3B0FC9CC2554B5C0868A7F1CDB481C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067281Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:05.451{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wcognp7t.default-release\datareporting\aborted-session-pingMD5=202B00AA9695E1CFA2EE08BF07AF3D5D,SHA256=3287AAD58AEFA0B09A75A4C3C9121C1DB4B5528B210BC6D5D6DB882501FB9DDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067294Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:06.966{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067293Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:06.966{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067292Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:06.933{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764FA483F31D33BC35BA93F973B1CC21,SHA256=A226A060AA6D922F353E189F3115AFF7A60E11019BB9EEBB98B367AA5817A434,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:06.529{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:06.529{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F84AE15217956814D704FE296B504E1,SHA256=4BADDD81807BFC53F1E9D9FF60D3493AA4235C70C989FF9A21D95C60DD9C3AB4falsefalse - insufficient disk space 534500x80000000000000001067291Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:06.646{761B69BB-649E-6080-015D-00000000BA01}3716C:\Users\Administrator\Desktop\64_dllhost.exe 10341000x80000000000000001067300Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:07.966{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067299Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:07.966{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067298Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:07.947{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DD9B73A4CE2E2FB5BD650973AF1F0D,SHA256=1379C2449C49A8922F8F8D4DBBDF0C54B7AAB83958D72444ABDFB7626D1138BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:07.531{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:07.531{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDD1DF4C4183B7E630E1A3FFE8067F1,SHA256=8D70A746B1440165B8AF9B9BCC34D31675215547B5AD068545732BCB52892886falsefalse - insufficient disk space 23542300x80000000000000001067297Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:07.637{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FE98EC160C10144C08D5458D15A6797,SHA256=38E6BEBA3BCC69BE98FD2BBB357A3C32B2988C293D7F32F2B162FBC75DD6CF74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067296Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:07.379{761B69BB-646C-6080-FB5C-00000000BA01}5716ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-16\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio9532780782181384102.tmpMD5=AB93A489F8BDB3A5D88E43E9F0CE51E1,SHA256=3D23E28DDE1CF81CD868567E5F0DE637F04D41C9B624B24B4A85729A748CBF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067295Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:07.346{761B69BB-646C-6080-FB5C-00000000BA01}5716ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-16\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio2352388016338203379.tmpMD5=BAADE56E37F86B9B425892758602EC26,SHA256=34FB07B1874FD9CEA3C4D5D94999C3F2B1921E9B93805DAE30BB36E8255038E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067318Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.972{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45DE8714F1A430C27C24764B3CC14E2,SHA256=5ACA493351C49CB1FA29278B8FEA4B34C0C86A1CBFC748A40515CBD801455EA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067317Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.967{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067316Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.967{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001546454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:08.534{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:08.534{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619719C9992C46BE4DEF52C316D02F05,SHA256=10F44EB4994BD4B91EF7835B0D0D64165C1FB4D2D8BC31509317133751F987EAfalsefalse - insufficient disk space 13241300x80000000000000001067315Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.localInvDB-VerSetValue2021-04-21 17:49:08.657{761B69BB-818C-607D-1200-00000000BA01}612C:\Windows\System32\svchost.exe\REGISTRY\A\{2324e785-6857-4bd5-a835-6bfa35e4ffb1}\Root\InventoryApplicationFile\64_dllhost.exe|ddef3887600fc40b\BinProductVersion(Empty) 13241300x80000000000000001067314Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.localInvDB-CompileTimeClaimSetValue2021-04-21 17:49:08.657{761B69BB-818C-607D-1200-00000000BA01}612C:\Windows\System32\svchost.exe\REGISTRY\A\{2324e785-6857-4bd5-a835-6bfa35e4ffb1}\Root\InventoryApplicationFile\64_dllhost.exe|ddef3887600fc40b\LinkDate06/09/2020 00:17:28 13241300x80000000000000001067313Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.localInvDB-PubSetValue2021-04-21 17:49:08.657{761B69BB-818C-607D-1200-00000000BA01}612C:\Windows\System32\svchost.exe\REGISTRY\A\{2324e785-6857-4bd5-a835-6bfa35e4ffb1}\Root\InventoryApplicationFile\64_dllhost.exe|ddef3887600fc40b\Publisher(Empty) 13241300x80000000000000001067312Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.localInvDB-PathSetValue2021-04-21 17:49:08.657{761B69BB-818C-607D-1200-00000000BA01}612C:\Windows\System32\svchost.exe\REGISTRY\A\{2324e785-6857-4bd5-a835-6bfa35e4ffb1}\Root\InventoryApplicationFile\64_dllhost.exe|ddef3887600fc40b\LowerCaseLongPathc:\users\administrator\desktop\64_dllhost.exe 13241300x80000000000000001067311Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.localInvDBSetValue2021-04-21 17:49:08.647{761B69BB-818C-607D-1200-00000000BA01}612C:\Windows\System32\svchost.exeHKU\S-1-5-21-868614410-3820876872-2839617749-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Desktop\64_dllhost.exeBinary Data 354300x80000000000000001067310Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:03.310{761B69BB-649E-6080-015D-00000000BA01}3716C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32504-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x80000000000000001067309Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:03.302{761B69BB-649E-6080-015D-00000000BA01}3716C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32503-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001067308Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.055{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6594-6080-1F5D-00000000BA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067307Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.053{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067306Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.053{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067305Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.053{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067304Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.053{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067303Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.052{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-6594-6080-1F5D-00000000BA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067302Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.052{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6594-6080-1F5D-00000000BA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067301Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:08.052{761B69BB-6594-6080-1F5D-00000000BA01}5764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001546452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:08.302{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:08.302{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B57581B80851BB90B7E8226E6840B0BF,SHA256=356D1B4761B19A1D7CA2651D547AA13E38CE5DA2B244D544CFF9484CCAA3B25Dfalsefalse - insufficient disk space 354300x80000000000000001546457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:06.822{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64992-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:09.554{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:09.554{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159438A93719E06E192F30906E274BFA,SHA256=FBDC67AF1E75B618F55443867C34E4C45B125F0F63F10C30FD6A3155AE4E33CEfalsefalse - insufficient disk space 23542300x80000000000000001067323Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:09.973{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B05DFB3C4BFA25107F07DE9AE49FF8,SHA256=AE0EAE39E2AA6ADB37E6901CF97D391A360E3D64971B588CDE9E2FD51FF053E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067322Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:09.968{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067321Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:09.968{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067320Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:04.820{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32505-false10.0.1.12-8000- 23542300x80000000000000001067319Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:09.056{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62213444320A88C4BAF8204E02005C14,SHA256=184498BA16DE7CB7ADD40F48CEA56FF735E7C7671BD296A873E5C3AE1612DB2D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:10.792{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:10.792{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C2DDE07562A3755E3C08774E348B40,SHA256=EE710263BFD07A81F807E5DDFBC49A497CAF9AC28E7C784C6EAC06E94F10E445falsefalse - insufficient disk space 23542300x80000000000000001067326Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:10.997{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1958EE467510BA23B0BD7A907E13277C,SHA256=1B60E80ACD5E3EFC0F7C725A1CB4A392DC7858CAFEDC3E36190CAD0BF01C998C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067325Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:10.969{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067324Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:10.969{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001546463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:11.995{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:11.995{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AE2AFCDBFA9999AAE299D72F4004268,SHA256=74F91B84D88BF8895E941DD355485DE4BBD1A28EB91A5463B6D2C8A5C96DCF66falsefalse - insufficient disk space 11241100x80000000000000001546461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:11.309{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-04-19 13:20:46.436 23542300x80000000000000001546460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:11.309{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4BA7F9BA2C04D3B880AF2349B45FCEB2,SHA256=7C5E6C16A48FDE44935CE5B99A614B174E6424A550B17D9356A0994C380254A9falsefalse - insufficient disk space 10341000x80000000000000001067337Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.969{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067336Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.969{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067335Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.869{761B69BB-6597-6080-205D-00000000BA01}1688712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067334Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.734{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6597-6080-205D-00000000BA01}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067333Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.733{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067332Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.733{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067331Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.732{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067330Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.732{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067329Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.732{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-6597-6080-205D-00000000BA01}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067328Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.732{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6597-6080-205D-00000000BA01}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067327Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:11.731{761B69BB-6597-6080-205D-00000000BA01}1688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001067357Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.969{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067356Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.969{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067355Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.901{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6598-6080-225D-00000000BA01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067354Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.899{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067353Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.899{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067352Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.898{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067351Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.898{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067350Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.898{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-6598-6080-225D-00000000BA01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067349Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.898{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6598-6080-225D-00000000BA01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067348Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.898{761B69BB-6598-6080-225D-00000000BA01}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067347Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.271{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C40147433EF9BE979E2C66700937B104,SHA256=5E398D8BBB42541CAABA8D2C2F4009FF55D555F336DAAB1490A15D0EC5E6900E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067346Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.234{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6598-6080-215D-00000000BA01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067345Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.232{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067344Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.232{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067343Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.232{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067342Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.232{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067341Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.232{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-6598-6080-215D-00000000BA01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067340Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.231{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6598-6080-215D-00000000BA01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067339Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.231{761B69BB-6598-6080-215D-00000000BA01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067338Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:12.009{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF67017D5FA8130F723A31692E70EE36,SHA256=832B469AF6EA7217A013CE7CD05DC597EE00025C078BFD2A85727D643BD9ABE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067362Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:13.970{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067361Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:13.970{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067360Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:13.385{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F52582161802FD87B82A9F2E7FC4BF0B,SHA256=5AD14C2850F2689CEBF2073037D8C03DB83B7A683DD85ED20168198A77E3CDA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067359Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:13.035{761B69BB-6598-6080-225D-00000000BA01}20726264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067358Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:13.034{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35DE7DA98E65F8407AF8A431D02AA8F,SHA256=8AF8FD36822F7DC4D6B99FD820F3037492B8E6BAE025647582D3C7EED645D955,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:13.165{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000001546466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:13.165{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 11241100x80000000000000001546465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:13.113{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:13.113{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70079624E25A98142410BF54D8D7669,SHA256=AB6AE4B29F7AAA957FE85167339093C19940F73E9E57026A046051723E60A83Cfalsefalse - insufficient disk space 354300x80000000000000001546475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:12.698{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64994-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000001546474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:12.636{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64993-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:14.116{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:14.116{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816316699FC89400F0F663A843D6BC25,SHA256=B305C336D8E4EB40E8A876D28D2F77E181628744A1333F87F0FEF2F699FA1BD7falsefalse - insufficient disk space 10341000x80000000000000001067365Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:14.971{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067364Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:14.971{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067363Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:14.038{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E872C47D20BF5BDD8E0681A720959B,SHA256=9E89A09E61B7B88B2D6665AFD5EFFD0123485B282F14B4F23B5952C7AB6D8886,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:14.084{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:14.084{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B6ED663CAA47B1594060CE7FEEF47C3,SHA256=62D8BB891AF4A51C5BDB0ED198DAC4418692304EEB309DF520E992E8DE4D4463falsefalse - insufficient disk space 11241100x80000000000000001546469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:14.084{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:14.084{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56C624890137AC547EBD1D76AD485B98,SHA256=2C1CCC123F9D8862C9A9FBF1CFD9A71D5523AC1FAE9CDA495602EC25A41AA233falsefalse - insufficient disk space 11241100x80000000000000001546477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:15.350{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:15.350{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53D7C90E5A27144C2C1ABAA11728D188,SHA256=F861EE4786A41BB6C72533F157DB97FE4BAA9196EDB6C5A7EDAE2E1B83A9485Afalsefalse - insufficient disk space 10341000x80000000000000001067370Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:15.972{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067369Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:15.972{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067368Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:10.698{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32506-false10.0.1.12-8000- 23542300x80000000000000001067367Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:15.044{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5786E982A9E9661A7BCFE7E98424FB56,SHA256=32D385F64B6EE40550B9CCA8EF74F612FCB51253FF813BFE3C9575A30366D301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067366Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:15.031{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDB346A67D0ED28F48C5F113E9DAF92D,SHA256=1F224FAD9A55A7B0738016BAF44A00242473C430EBFC29BAC483741DA2FFA667,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067373Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:16.972{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067372Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:16.972{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067371Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:16.050{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=393B87CECC98935270EA1BA70901C5D8,SHA256=3B6F0A3AB0810A4E6C39BBFBBE7E4C50DA922B4D8E102347A717C1D95AB19408,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:16.406{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:16.406{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3F1A82B65F7F9ACFBB7FFA93D1D2FA,SHA256=933311E1E1FB047E874B49EF826BC337DB586AE36553BAFDEF20C7AFF9A8A857falsefalse - insufficient disk space 11241100x80000000000000001546481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:17.408{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:17.408{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106161C75D8256E4E6D4503E080C84F5,SHA256=D40E4E30228F12394D94B8AD76FA34A3AF2895C74DC31438CC27030199350E8Bfalsefalse - insufficient disk space 10341000x80000000000000001067376Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:17.973{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067375Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:17.973{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067374Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:17.057{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD99907F494797DB26CB7926C89CC05C,SHA256=7819023253469A72A86E1E91C16FFC1BBCE7538491B106A6825BFBB391D3D076,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:18.526{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:18.526{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95712565E95A72634C972BB01CA56B89,SHA256=057AEF14364648B8DBE7CDEB6261A1C8CAE25142BEF0FEE00A8A37B4336B8953falsefalse - insufficient disk space 10341000x80000000000000001067379Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:18.974{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067378Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:18.974{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067377Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:18.065{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=887DED4490C6BF71772C143356CB50B2,SHA256=2C8742FC4068EF1EBD8DD04833A18637202F4D8F260C9B7ACB63BAE250E19A71,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:17.679{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64995-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:19.544{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:19.544{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA69A72382DA70446BD5BE1106D18BA,SHA256=E2F4C3A94BB2DBD69A4C6EE373BCAC4AAA05B021185EBABFB00004048BC9DBAAfalsefalse - insufficient disk space 10341000x80000000000000001067382Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:19.974{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067381Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:19.974{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067380Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:19.081{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F34F17B4C2C803B197388B4F55E39C,SHA256=B1945F98ABD331065A13FE1578490AF7F09E0ABF2C338E37119977DFE2C0CF8B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:19.213{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:19.213{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A010FDDB1B04678C96B0282EB27D6A60,SHA256=67A51916365B405F4458353529FB796652B0DC312DB5D853A0BB4CA59326868Ffalsefalse - insufficient disk space 11241100x80000000000000001546485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:19.213{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:19.213{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B6ED663CAA47B1594060CE7FEEF47C3,SHA256=62D8BB891AF4A51C5BDB0ED198DAC4418692304EEB309DF520E992E8DE4D4463falsefalse - insufficient disk space 11241100x80000000000000001546492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:20.547{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:20.547{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3422E2F4CE4DA522D8EC553C0C23C9B2,SHA256=A8B88F388E9B575CBB7B34A99A48BFA7673DF5C00FB37696B992C27E37299F1Dfalsefalse - insufficient disk space 10341000x80000000000000001067397Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067396Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067395Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:15.832{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32507-false10.0.1.12-8000- 10341000x80000000000000001067394Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.911{761B69BB-65A0-6080-235D-00000000BA01}69487164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067393Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.770{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-65A0-6080-235D-00000000BA01}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067392Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.768{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067391Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.768{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067390Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.768{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067389Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.767{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067388Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.767{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-65A0-6080-235D-00000000BA01}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067387Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.767{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-65A0-6080-235D-00000000BA01}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067386Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.766{761B69BB-65A0-6080-235D-00000000BA01}6948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067385Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.165{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B11C7DF730A641DD4A24AA0D62D072DB,SHA256=9A225ADC7EDF8A3D0ACCCBF9CCB8653CBBCC1432B61F33D2882EA36E6133EBB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067384Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.164{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC1BFF729C8AD7E535CE2C54735044EA,SHA256=06C3EE26AB430CDA012C27DD61673F2E92C64985037B26A98D3A435FC1BD6C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067383Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.089{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484697CADF2E738B1B7C40768BE6785F,SHA256=29F9A9BD994A1E898A0D3D9BEF88AE976EC6D29C8C8F5D9ADA7B299928ADA8A9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:21.766{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:21.766{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3C239A69F6F60BBF20391728E0F530,SHA256=12F17B709B9478488A136587C20BA9433C28F7F08AE6286C72AFF0CB1FA5A4B3falsefalse - insufficient disk space 10341000x80000000000000001067409Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067408Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.975{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067407Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.770{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B11C7DF730A641DD4A24AA0D62D072DB,SHA256=9A225ADC7EDF8A3D0ACCCBF9CCB8653CBBCC1432B61F33D2882EA36E6133EBB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067406Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.433{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-65A1-6080-245D-00000000BA01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067405Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.431{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067404Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.431{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067403Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.431{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067402Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.431{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067401Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.430{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-65A1-6080-245D-00000000BA01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067400Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.430{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-65A1-6080-245D-00000000BA01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067399Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.429{761B69BB-65A1-6080-245D-00000000BA01}1404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067398Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.101{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82798D6F11F46B2AF6FD7F0375288F42,SHA256=99310BDF28ABEF1D9BBF9B37B79555889EFE18AE513016CBBC2A89003B5815D9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:22.768{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:22.768{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660DFACEC4240BD393FF5AF0C8B402E6,SHA256=CF2A7131B98D51D9902152B6B340EABCD4B7BF693F6622FFFF20A4FD62D40822falsefalse - insufficient disk space 10341000x80000000000000001067421Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067420Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067419Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.230{761B69BB-65A2-6080-255D-00000000BA01}63404716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067418Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.110{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1628844EA08B6C1AB05D601AFE11814,SHA256=445625ABE1D85C2EB62D454731BBC7897302FEE2739096C631950CF4E8DE30CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067417Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.089{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-65A2-6080-255D-00000000BA01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067416Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.087{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067415Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.087{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067414Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.087{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067413Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.087{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067412Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.086{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-65A2-6080-255D-00000000BA01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067411Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.086{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-65A2-6080-255D-00000000BA01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067410Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:22.086{761B69BB-65A2-6080-255D-00000000BA01}6340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001546498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:23.770{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:23.770{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341C0397F645BBC800966BCB70F6C29C,SHA256=658ECF81A93DE4F80E5F6D526FD304CA73FF432ED2A8E227C6763A7801E71771falsefalse - insufficient disk space 10341000x80000000000000001067425Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:23.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067424Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:23.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067423Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:23.116{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B2593739726DBD984FDEBB2498EB52,SHA256=5B5DD1F07A9123FFB49771A8CABD2D547C9EE7C24D2AE1CCA8439B9E3BBB7733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067422Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:23.097{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB0282DFB2B9883E79D16588C29B1BF3,SHA256=DE4D828F91C12850925BEBD9D86F212AC90CB2322A2A3D547275450DFB053A25,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:24.791{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:24.791{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26CB7A7506584BF1EF014F164619FC2,SHA256=BB808F28FD1452C12E4D6C9EF6106D5D683ED248A8FBEF322313A687A69179B8falsefalse - insufficient disk space 10341000x80000000000000001067429Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:24.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067428Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:24.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067427Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:24.361{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=895EA943B9C5787BF58CF66D295615C9,SHA256=A5A8D46614A644E8D52335424FB75FCBED5979D269CEAA53470A80FCEDACA4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067426Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:24.122{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C50920ACEFCF280DFB5C8D25583D517,SHA256=F83B77BD2C9AF21ACC9ADF8B9639CFC792184CE9E42E6F7B3C3F0B0ADB90607A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:24.171{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:24.171{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A010FDDB1B04678C96B0282EB27D6A60,SHA256=67A51916365B405F4458353529FB796652B0DC312DB5D853A0BB4CA59326868Ffalsefalse - insufficient disk space 11241100x80000000000000001546550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.893{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.892{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75FAE0388484AA62C6BC2009EC76437A,SHA256=428F4369B1BF650033213F1363CFF1D83F7E9A421CB3F28768EBA58CC29700DCfalsefalse - insufficient disk space 10341000x80000000000000001067435Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:25.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067434Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:25.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067433Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.749{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local32508-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001067432Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:20.749{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local32508-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 23542300x80000000000000001067431Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:25.361{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88D5D7443C706A3CA7A084B10C126486,SHA256=F51F5F6A77FA4BCF4A6BEF90733117AD6CA222B1E4EC1DEA7EF167929B9266AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067430Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:25.151{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710FAF1F75BEF819B821EE2D27C7B0DB,SHA256=C4BC4C78DE97E14FBF1C9CE8572CE0E3DE3DE23E258BA0FB193B9095355E2AA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001546548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-83AE-607D-1E00-00000000BB01}1992C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-83AE-607D-1E00-00000000BB01}1992C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001546504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:25.127{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001546503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:22.723{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64996-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001067439Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:26.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067438Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:26.976{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067437Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:21.715{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32509-false10.0.1.12-8000- 23542300x80000000000000001067436Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:26.156{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F3AF2F9BADE85BB7AF5EABD33107B7,SHA256=0A7D81D339AEA30A16AC47B907CF842D423433F08BE316DAF6D18C89986E7ED9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067442Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:27.977{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067441Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:27.977{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067440Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:27.166{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBF89715B5BABBD686B449CA0BB4641,SHA256=AB932F29AC7ED48E80604F15968DA66BF87BB5D94CC07119ADE500BEDEF580D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.517{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.517{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD15A31ECD9447EF2A7F1BD5B6434BC,SHA256=1DA0C8153D62E9A30C140F653EFBA0DE5C0A1DEF329FA03C90183DDD889B02F0falsefalse - insufficient disk space 534500x80000000000000001546606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.163{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001546605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.163{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001546604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.163{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.163{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001546598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001546596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000001546565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001546564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000001546559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.032{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.016{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.017{21761711-65A7-6080-485E-00000000BB01}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:27.016{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:27.016{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:27.016{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:27.016{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:27.016{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:27.016{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001067445Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:28.977{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067444Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:28.977{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067443Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:28.170{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F8F3208D59CECAB378344C69CD8DAE6,SHA256=473255CFBECBB48327523B2E004D1E67816E31D2E5E9AEE6F94F9A525B869039,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:28.281{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:28.281{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E626D1D4E32FB36428152B051D61C7,SHA256=03B63EEA2ACC0100B0853F126B2236C87E6447EE03ACEF3041C2FF1CE9EAF36Dfalsefalse - insufficient disk space 11241100x80000000000000001546610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:28.018{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:28.018{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2B57DA39B5187501172AA9FFABA1CDC,SHA256=46F6B18B9CF2EE83D021C1D66B3FA90F198CD07B8C372772D4D5359420030208falsefalse - insufficient disk space 10341000x80000000000000001067449Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:29.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067448Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:29.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067447Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:29.845{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067446Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:29.180{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A701A495E74ED40F2EC7DD7794F1E0DA,SHA256=4496DF51BCC582EDB6078E8230CF061D3FCF6B7B5D7B379F12A019C27EE8BB30,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001546617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:27.788{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64997-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001546616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:29.284{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:29.284{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857A7FA22860DC7E89776C6B7B41D3D9,SHA256=DC20A3249645DFB55CC1A015F0B5ED69E5466EAC640ADBC813882FDB7029EF74falsefalse - insufficient disk space 11241100x80000000000000001546614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:29.237{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:29.237{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=279FFAC2DD00CB14FE228B3B580D80DD,SHA256=520CDBFF06B414B86F938E8D736B5D2DE20770C2F7455912479D5E9FF4CA9E96falsefalse - insufficient disk space 11241100x80000000000000001546619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:30.455{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:30.455{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E39B6B1983D491232E07117293369E4,SHA256=3D693CFA65E2F26AA65632EF173981178AE89BBBBEE7825CF04C852B19FE6DB6falsefalse - insufficient disk space 10341000x80000000000000001067454Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:30.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067453Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:30.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067452Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:30.845{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4CCDD241922368766248C7268444BA2,SHA256=A89FE48D4EB5F811BC533053A51492C0B7466FCA18AD3AC197BD0B6B3CC4B2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067451Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:30.843{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D72205CB2D2759E5D825798FED3BE521,SHA256=173F789C4B1735A7F1AEBDFCF342A6483EA97814152A30CF92070B2A45F0117E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067450Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:30.186{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1E637033E4033A4CB326C8A18E3CE2,SHA256=4962E175439C26446C31CB76102AC1AC9EE863CF1AF43EB5B83D36501BB45DE6,IMPHASH=00000000000000000000000000000000falsetrue 18141800x80000000000000001546683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.990{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:31.990{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.990{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:31.990{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.990{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:31.990{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001546677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.643{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.643{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBE832F77405D25111A599C553D65EC,SHA256=AC84A701467BE1F9A62BA857B8E0A1797CEF0E7B0A31E3FA0649528C4EBB6CBFfalsefalse - insufficient disk space 534500x80000000000000001546675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.458{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000001067459Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:31.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067458Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:31.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067457Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:26.849{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32511-false10.0.1.12-8000- 354300x80000000000000001067456Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:26.510{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32510-false10.0.1.12-8089- 23542300x80000000000000001067455Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:31.194{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD57C2A4A08F0138E1B5FB28DF0BB28B,SHA256=5CF651C9660A09E0956E278987E3E5E24C78B86DEC5E5F1A06835DEABC6B8BBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001546674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.442{21761711-65AB-6080-495E-00000000BB01}7161912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.442{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.442{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001546667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001546665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001546660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.326{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001546645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001546633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000001546628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.311{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.305{21761711-65AB-6080-495E-00000000BB01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.304{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:31.304{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.304{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:31.304{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:31.304{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:31.304{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000001546797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.830{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.814{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001546795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.814{21761711-65AC-6080-4B5E-00000000BB01}12362200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.814{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.814{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000001546792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.745{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.745{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0968A0ED911DCFB37F5D6170C7D199FE,SHA256=94E86E35B9C9D56073D244A36C11CBB89A7E4A89B2B476341952F2AC66897F55falsefalse - insufficient disk space 734700x80000000000000001546790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001546753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.692{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001546748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.676{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.676{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.677{21761711-65AC-6080-4B5E-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:32.676{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:32.676{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:32.676{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:32.676{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:32.676{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:32.676{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001067462Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:32.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067461Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:32.978{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067460Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:32.203{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF47051FFD298AE19F6F6F37CED90000,SHA256=5FCC7A6BEBF4FF085A87286D9AAD5249E29C615B1912B55EF012DA5EC974E28B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001546739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.310{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.310{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=672554036F09E0B56B6B877BD532AD78,SHA256=F498D4CB617E756BE8C8D317E1BD5C0BB7CA98C7BB7A4EC2C6F38C6E80F860C6falsefalse - insufficient disk space 534500x80000000000000001546737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.144{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001546736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.144{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001546735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.128{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.128{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001546729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001546727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001546722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.012{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.011{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000001546699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000001546697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001546696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.010{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000001546695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.009{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001546694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.009{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.009{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.009{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000001546691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.008{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.007{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.007{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.007{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.006{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000001546686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:32.006{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.990{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:31.991{21761711-65AB-6080-4A5E-00000000BB01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000001546912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.895{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.895{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.895{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001546908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001546906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000001546896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001546878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001546874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000001546869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.879{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.866{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.864{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:33.864{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.864{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:33.864{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.864{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:33.864{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001546860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.864{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.864{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882D5704CD7C3997EB286E8F04FDC5F5,SHA256=13B3E2BDB014A3991F4DC094FFD83A3BB40AAD112727F301C5F9452EE2DF00F9falsefalse - insufficient disk space 11241100x80000000000000001546858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.848{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.848{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6CDDA8AD830B1E78021EB18491BBA3,SHA256=80E918F7FB75013FB838DBB9CE462F1DF283A1020C720E5A5913D28CE752F390falsefalse - insufficient disk space 11241100x80000000000000001546856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.848{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.848{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBDF483BF06D9C7AF44FAEF65FC29CD4,SHA256=2B4B4052BE267B1B5135A3226B30A5B728F21E07395C4E8910DFB40C9271FAA7falsefalse - insufficient disk space 10341000x80000000000000001067465Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:33.979{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067464Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:33.979{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067463Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:33.221{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F583C3F0ADDB54D153CB6A34C1C654,SHA256=019D28EE3696AE807126FE331EB0433898274D5F913CD6679962B978DB378737,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001546854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.516{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001546853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.516{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001546852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.516{21761711-65AD-6080-4C5E-00000000BB01}75006636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.513{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.513{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.394{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001546845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001546843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001546812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001546811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000001546806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.378{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.363{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.363{21761711-65AD-6080-4C5E-00000000BB01}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:33.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:33.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:33.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:33.363{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001546978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.998{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.998{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348817922FAFD581695BCC6BD768AB46,SHA256=BA0B228A4CBDA0142753E249654670E4DE5897B86B121A4A5F026042E40F0160falsefalse - insufficient disk space 11241100x80000000000000001546976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.982{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001546975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.982{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8AF7A816D135E9E81BC012D852C9CB4,SHA256=0DFEB65079329E856F4AE9EB33650E957C9DC23B25ACE4772D50466B5493F160falsefalse - insufficient disk space 11241100x80000000000000001546974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.982{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001546973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.982{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B782A9F6E77C7B7EE7FAD4F6E24884B,SHA256=E50D4E3820314DE73D2DAC14717086044EC3C940E38083585B72BC9A1CCD0986falsefalse - insufficient disk space 10341000x80000000000000001067468Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:34.980{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067467Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:34.980{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067466Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:34.240{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58AEBE6828EA6F55B566C3A9195EA31E,SHA256=8A3E52D10AF9F02F4BB1A1666DE451AA9ACAFE20E629D1CE9310F87BB027E85C,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001546972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.697{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.697{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001546970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.697{21761711-65AE-6080-4E5E-00000000BB01}50007464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.697{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.697{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001546967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.581{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001546966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001546965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001546964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001546962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001546961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001546960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001546959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001546958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001546957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001546956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001546955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001546954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001546953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001546952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001546951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001546950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001546949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001546948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001546947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001546946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001546945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001546944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001546943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001546942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001546941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001546940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001546939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001546938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001546937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001546936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001546935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001546934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001546933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001546932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001546931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001546930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001546929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001546928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001546927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001546926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001546925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.565{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001546923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.551{21761711-65AE-6080-4E5E-00000000BB01}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001546922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:34.550{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:34.550{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:34.550{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:34.550{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001546918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:49:34.550{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001546917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:34.550{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x80000000000000001546916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.017{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001546915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.017{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001546914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.017{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001546913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:34.017{21761711-65AD-6080-4D5E-00000000BB01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x80000000000000001067471Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:35.981{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067470Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:35.981{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067469Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:35.243{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7695D075178F26E03F1EE572FCFD54E7,SHA256=42FD962669C6AAC15C39730ED5F68EEB7ACD287F8C56508A78D7B420E4F3A171,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.985{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.985{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F79008CF81DC121E6C53E189CC2C340,SHA256=D6BBE3DC0F5CB3020B7202C8FB5E5E61753D8CC14F8334C8DCFD2FEB01245961falsefalse - insufficient disk space 734700x80000000000000001548232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.953{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 12241200x80000000000000001548231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001548228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.969{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000001548205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 12241200x80000000000000001548204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001548203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000001548183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.953{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x80000000000000001548182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.953{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=D681E677EA3BF7C96E44E3E078B57157,SHA256=76578F80CE995467E1AC137F0B36A9E6AFAD67ED5C4CDD2126F409BF457E8A82trueMicrosoft WindowsValid 11241100x80000000000000001548181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.953{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 12241200x80000000000000001548180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.953{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 23542300x80000000000000001548179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.953{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89CFE8FED59F6BA8DF50CCEA982E53D,SHA256=696BFC826C982608A7E1E7F69373F7FD58117AD923766EB86A77133471EC6EFDfalsefalse - insufficient disk space 10341000x80000000000000001548178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a3c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+12d7c(wow64)|C:\Windows\System32\faultrep.dll+d63f(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x80000000000000001548167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 10341000x80000000000000001548166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+26bd3(wow64)|C:\Windows\System32\faultrep.dll+113c0(wow64)|C:\Windows\System32\faultrep.dll+d23a(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10497(wow64)|C:\Windows\System32\faultrep.dll+d186(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+d124(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 12241200x80000000000000001548163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.938{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x80000000000000001548162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-83AE-607D-1600-00000000BB01}11086004C:\Windows\system32\svchost.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000001548160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.938{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001548159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000001548158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=CDD32AC585A458B6B2BC777FACF83BA4,SHA256=6A6D1362633319BA3E2D389A70827D0B5802C5EA9DD5CA723AEA6DBF65713426trueMicrosoft WindowsValid 734700x80000000000000001548157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000001548156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000001548155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 10341000x80000000000000001548154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 11241100x80000000000000001548152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\90d87c30-ea35-4b55-9a5d-4270c3ae17602021-04-21 17:49:35.938 734700x80000000000000001548151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.938{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\dbgcore.dll10.0.14321.1024 (debuggers(dbg).160715-1616)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=F9E3229224FEC57A53F5B2A4B21942E0,SHA256=C008454B1C65436C4289918CD64A83FDE655E2682977C68F3B866A3BB947E244trueMicrosoft WindowsValid 734700x80000000000000001548150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=529408E2C123D00D4CC2BEBCC8479566,SHA256=B8FE6F8E7B439EE4890F305AA008553CB68F6FEA7268262E6F1C3FD7F6FB90B8trueMicrosoft WindowsValid 734700x80000000000000001548149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\Faultrep.dll10.0.14393.4046 (rs1_release.201028-1803)Windows User Mode Crash Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfaultrep.dllMD5=DF986454FA35F76D1A1A896DD06E8A82,SHA256=F6AEAFE468D20799BECDA4D721940B317E88C2695A80D8497D816B8C241B700DtrueMicrosoft WindowsValid 734700x80000000000000001548148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\wer.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=8E413051DCEE704261ECCB513D0BE8E1,SHA256=0FFE33CB1FF0C347C8522965F2AAD467F92DA6F7FFAD3AA1DF824C5BC5AFDB30trueMicrosoft WindowsValid 734700x80000000000000001548147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=0D7153433B25ABA6DF86FBC7FA543CBF,SHA256=C8DF43428EC79BEB384B2B2561A3D8FF98040ABBC760C35F99E1FBE2D04170BFtrueMicrosoft WindowsValid 734700x80000000000000001548146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x80000000000000001548145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x80000000000000001548144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=FD246A07CED3BC52C91E4CE7F149B814,SHA256=643D290491BB7D0137CAD77B3DB612D69A6EC7AFE9C411D438C3CA1769F1EECCtrueMicrosoft WindowsValid 734700x80000000000000001548143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000001548142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=46729D62C2C59533BF7F18EC62EA1066,SHA256=F890DA6B91DCCEF82188724339EB4469B27AA19183938F4269C8DE3FEA6C12F0trueMicrosoft WindowsValid 734700x80000000000000001548141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000001548140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.2515 (rs1_release_1.180830-1044)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0A509BFB5A32121F89325D493794CA83,SHA256=CB89991C328399A0AD5A18C38DD69FA77922A7977D9F4E7193C59AC03AF614B2trueMicrosoft WindowsValid 734700x80000000000000001548139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=7B019DFD62509B244C4A11809F595C07,SHA256=2E879BBDC7C215041617FC599FCBA8C474F99E27B8333EA4DCA4854FE738F22DtrueMicrosoft WindowsValid 734700x80000000000000001548138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000001548137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000001548136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BE003247800053860D5C85D2BCEB0744,SHA256=D687D105741BDEB1BCEE18F3692AE688C52E85F1BBA745315FA2FB7F953DCE55trueMicrosoft WindowsValid 734700x80000000000000001548135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x80000000000000001548134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000001548133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 10341000x80000000000000001548132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-84C5-607D-E100-00000000BB01}32203160C:\Windows\system32\csrss.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000001548131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000001548130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000001548129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000001548128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001548127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001548126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000001548125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001548124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.922{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000001548123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.921{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000001548122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.921{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=57015A39A73789DC7171F4F6B211AC32,SHA256=3ED6D5A7095A141DCF234926EE0274FDA627C2829607DCE0F7604B7C683067E9trueMicrosoft WindowsValid 734700x80000000000000001548121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.921{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001548120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.921{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe10.0.14393.4046 (rs1_release.201028-1803)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeMD5=873FDC21DDF6CBD1D5396E15D9EEB070,SHA256=B18648B926F4F6F1721D033741E07D23148BB3EE435E579B34C2A2B4439476D0trueMicrosoft WindowsValid 10341000x80000000000000001548119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.920{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001548118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.919{21761711-65AF-6080-515E-00000000BB01}53563604C:\Windows\System32\svchost.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|c:\windows\system32\faultrep.dll+5b5b|c:\windows\system32\faultrep.dll+61c1|c:\windows\system32\wersvc.dll+ae9c|c:\windows\system32\wersvc.dll+7843|c:\windows\system32\wersvc.dll+4a1f|c:\windows\system32\wersvc.dll+4688|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001548117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.917{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe10.0.14393.4046 (rs1_release.201028-1803)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 1520C:\Windows\system32\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=873FDC21DDF6CBD1D5396E15D9EEB070,SHA256=B18648B926F4F6F1721D033741E07D23148BB3EE435E579B34C2A2B4439476D0{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe 10341000x80000000000000001548116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.917{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.916{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001548114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.916{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001548113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FEtrueMicrosoft WindowsValid 11241100x80000000000000001548112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\ProgramData\Microsoft\Windows\WER\Temp\259f5272-c88b-4aca-96fc-92f1055a61552021-04-21 17:49:35.900 10341000x80000000000000001548111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}53563604C:\Windows\System32\svchost.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae19|c:\windows\system32\wersvc.dll+7843|c:\windows\system32\wersvc.dll+4a1f|c:\windows\system32\wersvc.dll+4688|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}53563604C:\Windows\System32\svchost.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ac09|c:\windows\system32\wersvc.dll+7843|c:\windows\system32\wersvc.dll+4a1f|c:\windows\system32\wersvc.dll+4688|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}53563604C:\Windows\System32\svchost.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+7a60|c:\windows\system32\wersvc.dll+76fc|c:\windows\system32\wersvc.dll+4a1f|c:\windows\system32\wersvc.dll+4688|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001548108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\ProgramData\Microsoft\Windows\WER\Temp\d51d36f2-3232-4e38-8fdb-02149404cf9f2021-04-21 17:49:35.900 734700x80000000000000001548107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178DtrueMicrosoft WindowsValid 734700x80000000000000001548106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000001548105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000001548104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 734700x80000000000000001548103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\wer.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=D9715C34200FA21F6356CD5C56FE343C,SHA256=E7541EB9D78312F1F72D8D83A8BB2B26FF3F02F60129DCF7F6759EC7E183C84EtrueMicrosoft WindowsValid 734700x80000000000000001548102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001548101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001548100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000001548099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\Faultrep.dll10.0.14393.4046 (rs1_release.201028-1803)Windows User Mode Crash Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfaultrep.dllMD5=0702EE3664C421A0F2C56C6E8DE95B5B,SHA256=C7860A575ADDC1C85A8908C9FA4174095F86990BD6944420BE59C99E74D8A393trueMicrosoft WindowsValid 734700x80000000000000001548098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001548097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001548096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001548095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\weretw.dll10.0.14393.4169 (rs1_release.210107-1130)WERETW.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWERETW.DLLMD5=1325BA707320C3DC1024560DEA903AD9,SHA256=227376F2B461D7B2539F223E92CFBCBD5EA7DAE182BF277D7D0B2951CAC42B8AtrueMicrosoft WindowsValid 11241100x80000000000000001548094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DC80EEE3E504C61CA4A20AA3150AC2,SHA256=920180E93177389F85E08DED166E16F916DCEECD8A911B9469FE7A8852462C00falsefalse - insufficient disk space 734700x80000000000000001548092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 734700x80000000000000001548091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001548090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001548089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x80000000000000001548088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001548087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000001548086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001548085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.900{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\wersvc.dll10.0.14393.4048 (rs1_release_inmarket.201115-1326)Windows Error Reporting ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationwersvcMD5=1B4E315417F6409CDAE6FBE7ED23F9DC,SHA256=88EBAB9E66F8C166433C3F5BA30FFD7049D29301E1FEA099987BD1CE99F96D37trueMicrosoft WindowsValid 12241200x80000000000000001548084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000001548081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7trueMicrosoft Windows PublisherValid 12241200x80000000000000001548080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 10341000x80000000000000001548075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-83AD-607D-0A00-00000000BB01}6202564C:\Windows\system32\services.exe{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000001548074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000001548059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-83AE-607D-1400-00000000BB01}4801188C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001548058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001548057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001548056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001548055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001548054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x80000000000000001548053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.884{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001548052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 10341000x80000000000000001548051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001548050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.884{21761711-83AD-607D-0A00-00000000BB01}6206136C:\Windows\system32\services.exe{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+17f9d|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001548049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.878{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7{21761711-83AD-607D-0A00-00000000BB01}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001548048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.869{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-83AD-607D-0A00-00000000BB01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.869{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.869{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.869{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-83AD-607D-0A00-00000000BB01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.869{21761711-65AF-6080-4F5E-00000000BB01}34523608C:\Windows\SysWOW64\dllhost.exe{21761711-65AF-6080-505E-00000000BB01}7608C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ef6c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ece62(wow64)|C:\Windows\System32\KERNEL32.DLL+66cbc(wow64)|C:\Windows\System32\KERNEL32.DLL+66a86(wow64)|C:\Windows\System32\KERNEL32.DLL+3e649(wow64)|C:\Windows\System32\KERNELBASE.dll+15e95a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+9d2fe(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x80000000000000001548043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.853{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\wininetlui.dll10.0.14393.447 (rs1_release_inmarket.161102-0100)Provides legacy UI for wininetMicrosoft® Windows® Operating SystemMicrosoft Corporationwininetlui.dllMD5=264529BBF1D0F2E468E21CE4BBE0FA77,SHA256=E63316A56AFCC5A24B2B999FCC5CD923394E24D525AEBC3C10B4A1DBBE25C88BtrueMicrosoft WindowsValid 734700x80000000000000001548042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.853{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.3541 (rs1_release_inmarket.200218-2047)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=8CFD633EE740B2693E96831A534E4577,SHA256=78CC7389CB132DE0B826A2C78F1F9A6170F6A5DBEEE997E6B83C206C79B17510trueMicrosoft WindowsValid 11241100x80000000000000001548041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.853{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.853{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2459F18820401580BE271590EE8F1924,SHA256=DF99D04A29C109B5C0259AD82ACB8987F69E01740E556066B7D657A9A6B15F53falsefalse - insufficient disk space 13241300x80000000000000001548039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001548038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001548037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001548036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 734700x80000000000000001548035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\gpapi.dll10.0.14393.3986 (rs1_release.201002-1707)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=A11EBF985384257D0E302247145A5F80,SHA256=8254D3505507F2942E0051B5B68098F4525B8B6DC560FABCDE77C4E59024B461trueMicrosoft WindowsValid 12241200x80000000000000001548034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs 12241200x80000000000000001548033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs 12241200x80000000000000001548032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates 12241200x80000000000000001548031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x80000000000000001548030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x80000000000000001548029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001548028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001548027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001548026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x80000000000000001548025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001548024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001548023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001548022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001548021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001548020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001548019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001548018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001548017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x80000000000000001548016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001548015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001548014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001548013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001548012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001548011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs 12241200x80000000000000001548010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs 12241200x80000000000000001548009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates 12241200x80000000000000001548008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x80000000000000001548007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x80000000000000001548006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001548005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001548004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001548003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001548002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001548001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001548000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001547999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001547998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001547997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001547996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001547995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001547994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001547993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001547992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001547991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001547990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001547989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001547988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x80000000000000001547987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000001547986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000001547985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x80000000000000001547984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x80000000000000001547983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000001547982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000001547981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x80000000000000001547980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs 12241200x80000000000000001547979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs 12241200x80000000000000001547978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates 12241200x80000000000000001547977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000001547976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000001547975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs 12241200x80000000000000001547974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs 12241200x80000000000000001547973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates 12241200x80000000000000001547972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x80000000000000001547971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs 12241200x80000000000000001547970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs 12241200x80000000000000001547969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates 12241200x80000000000000001547968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x80000000000000001547967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs 12241200x80000000000000001547966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs 12241200x80000000000000001547965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates 12241200x80000000000000001547964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x80000000000000001547963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x80000000000000001547962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs 12241200x80000000000000001547961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs 12241200x80000000000000001547960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates 12241200x80000000000000001547959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x80000000000000001547958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x80000000000000001547957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001547956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001547955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001547954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001547953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001547952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001547951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001547950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001547949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001547948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001547947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001547946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001547945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001547944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001547943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001547942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001547941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001547940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001547939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001547938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001547937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001547936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001547935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001547934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs 12241200x80000000000000001547933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs 12241200x80000000000000001547932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates 12241200x80000000000000001547931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000001547930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000001547929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001547928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001547927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001547926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x80000000000000001547925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001547924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001547923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001547922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001547921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001547920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001547919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001547918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001547917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x80000000000000001547916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001547915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001547914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001547913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001547912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001547911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001547910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=EFD0BE8FD1FF4E6D9A2112549F00C298,SHA256=FBC2001A38F051603972763B0CBAE114671C68A5FFB99AB013A0E1055C430AB6trueMicrosoft WindowsValid 734700x80000000000000001547909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x80000000000000001547908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=FD246A07CED3BC52C91E4CE7F149B814,SHA256=643D290491BB7D0137CAD77B3DB612D69A6EC7AFE9C411D438C3CA1769F1EECCtrueMicrosoft WindowsValid 734700x80000000000000001547907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x80000000000000001547906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x80000000000000001547905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x80000000000000001547904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=0D7153433B25ABA6DF86FBC7FA543CBF,SHA256=C8DF43428EC79BEB384B2B2561A3D8FF98040ABBC760C35F99E1FBE2D04170BFtrueMicrosoft WindowsValid 734700x80000000000000001547903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.837{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 12241200x80000000000000001547902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x80000000000000001547901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x80000000000000001547900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x80000000000000001547899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 13241300x80000000000000001547898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x80000000000000001547897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x80000000000000001547896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x80000000000000001547895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000001547894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x80000000000000001547893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000001547892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x80000000000000001547891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x80000000000000001547890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.822{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4225 (rs1_release.210127-1811)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=6A4EC7FCDF21570DCB1AAEA8BCE6C68B,SHA256=11DF4EEFA9F2EAB3440D073442C14884AA4145360F1ADB63B220431E5D01BB2CtrueMicrosoft WindowsValid 12241200x80000000000000001547889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.820{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 11241100x80000000000000001547888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.820{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 734700x80000000000000001547887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.819{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 23542300x80000000000000001547886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.819{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B3DECB87914082F9A77CE8F69B5341,SHA256=5DC825FCC2AC5C23EA02625D2309DFEBD1314BEDCBE93165A5C92E6F6529CF7Afalsefalse - insufficient disk space 10341000x80000000000000001547885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.819{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001547884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.819{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x80000000000000001547883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.819{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000001547882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.819{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x80000000000000001547881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.819{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x80000000000000001547880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.819{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x80000000000000001547879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.819{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000001547878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.818{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x80000000000000001547877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.818{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x80000000000000001547876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.817{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x80000000000000001547875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.817{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x80000000000000001547874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.817{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x80000000000000001547873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.816{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=5956013FD503AA525624271D79C23A41,SHA256=F678669E7BDEAA35648FD330F23627EA15B2D79D263610F46FB1B3881AEDBF74trueMicrosoft WindowsValid 734700x80000000000000001547872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.815{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x80000000000000001547871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x80000000000000001547870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x80000000000000001547869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000001547868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=4803B5E62FA1809BBED6F7E987942ACB,SHA256=D7D53A4FEB2016307A812A04964CEEC5E211A676A303B41EA16EAFD3AA7C3B72trueMicrosoft WindowsValid 734700x80000000000000001547867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000001547866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x80000000000000001547865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x80000000000000001547864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x80000000000000001547863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1112AB17E3ABDFF5F20CB2F465A2E117,SHA256=C47039A4DF6C685317C6539F205A46350DB055342704F1957D1FB0A1278AC076trueMicrosoft WindowsValid 734700x80000000000000001547862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000001547861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=CDD32AC585A458B6B2BC777FACF83BA4,SHA256=6A6D1362633319BA3E2D389A70827D0B5802C5EA9DD5CA723AEA6DBF65713426trueMicrosoft WindowsValid 734700x80000000000000001547860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000001547859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000001547858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 10341000x80000000000000001547857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001547856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001547855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000001547854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.2515 (rs1_release_1.180830-1044)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0A509BFB5A32121F89325D493794CA83,SHA256=CB89991C328399A0AD5A18C38DD69FA77922A7977D9F4E7193C59AC03AF614B2trueMicrosoft WindowsValid 734700x80000000000000001547853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=D72267FB5D321279DE909DB118CDEEFE,SHA256=D8386DCF2ACF3D48A2C95CCF6C3A9505E1CA99FF803027D76068596A34210FAEtrueMicrosoft WindowsValid 734700x80000000000000001547852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000001547851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4283 (rs1_release.210303-1802)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=253114E61AAAE4A12B73BAA54FBAAA62,SHA256=738E566E19705CA3190F448EDA108FAB2324C6A6E9DAAA12024777C9C5E6BF0EtrueMicrosoft WindowsValid 734700x80000000000000001547850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000001547849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=7B019DFD62509B244C4A11809F595C07,SHA256=2E879BBDC7C215041617FC599FCBA8C474F99E27B8333EA4DCA4854FE738F22DtrueMicrosoft WindowsValid 734700x80000000000000001547848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000001547847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000001547846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BE003247800053860D5C85D2BCEB0744,SHA256=D687D105741BDEB1BCEE18F3692AE688C52E85F1BBA745315FA2FB7F953DCE55trueMicrosoft WindowsValid 734700x80000000000000001547845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=46729D62C2C59533BF7F18EC62EA1066,SHA256=F890DA6B91DCCEF82188724339EB4469B27AA19183938F4269C8DE3FEA6C12F0trueMicrosoft WindowsValid 734700x80000000000000001547844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.800{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000001547843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000001547842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000001547841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000001547840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001547839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001547838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000001547837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001547836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000001547835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000001547834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=57015A39A73789DC7171F4F6B211AC32,SHA256=3ED6D5A7095A141DCF234926EE0274FDA627C2829607DCE0F7604B7C683067E9trueMicrosoft WindowsValid 734700x80000000000000001547833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001547832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8trueMicrosoft WindowsValid 824800x80000000000000001547831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe36080x0000000002B60000-- 11241100x80000000000000001547830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294797_WINWORD.EXE_3548_4412_1676.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294798_WINWORD.EXE_3548_4412_1675.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294798_WINWORD.EXE_3548_4412_1674.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294799_WINWORD.EXE_3548_4412_1673.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294799_WINWORD.EXE_3548_4412_1672.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294800_WINWORD.EXE_3548_4412_1671.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294800_WINWORD.EXE_3548_4412_1670.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294801_WINWORD.EXE_3548_4412_1669.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294801_WINWORD.EXE_3548_4412_1668.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294801_WINWORD.EXE_3548_4412_1667.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294802_WINWORD.EXE_3548_4412_1666.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294802_WINWORD.EXE_3548_4412_1665.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294803_WINWORD.EXE_3548_4412_1664.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294803_WINWORD.EXE_3548_4412_1663.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294804_WINWORD.EXE_3548_4412_1662.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294804_WINWORD.EXE_3548_4412_1661.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294804_WINWORD.EXE_3548_4412_1660.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294805_WINWORD.EXE_3548_4412_1659.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294805_WINWORD.EXE_3548_4412_1658.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294806_WINWORD.EXE_3548_4412_1657.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294806_WINWORD.EXE_3548_4412_1656.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294807_WINWORD.EXE_3548_4412_1655.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294807_WINWORD.EXE_3548_4412_1654.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294808_WINWORD.EXE_3548_4412_1653.dmp2021-04-21 17:49:35.784 11241100x80000000000000001547806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.784{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294808_WINWORD.EXE_3548_4412_1652.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294809_WINWORD.EXE_3548_4412_1651.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294809_WINWORD.EXE_3548_4412_1650.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294809_WINWORD.EXE_3548_4412_1649.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294810_WINWORD.EXE_3548_4412_1648.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294810_WINWORD.EXE_3548_4412_1647.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294811_WINWORD.EXE_3548_4412_1646.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294811_WINWORD.EXE_3548_4412_1645.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294812_WINWORD.EXE_3548_4412_1644.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294812_WINWORD.EXE_3548_4412_1643.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294813_WINWORD.EXE_3548_4412_1642.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294813_WINWORD.EXE_3548_4412_1641.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294813_WINWORD.EXE_3548_4412_1640.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294814_WINWORD.EXE_3548_4412_1639.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294814_WINWORD.EXE_3548_4412_1638.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294815_WINWORD.EXE_3548_4412_1637.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294815_WINWORD.EXE_3548_4412_1636.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294816_WINWORD.EXE_3548_4412_1635.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294816_WINWORD.EXE_3548_4412_1634.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294817_WINWORD.EXE_3548_4412_1633.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294817_WINWORD.EXE_3548_4412_1632.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294817_WINWORD.EXE_3548_4412_1631.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294818_WINWORD.EXE_3548_4412_1630.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294818_WINWORD.EXE_3548_4412_1629.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294819_WINWORD.EXE_3548_4412_1628.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294819_WINWORD.EXE_3548_4412_1627.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 11241100x80000000000000001547779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294820_WINWORD.EXE_3548_4412_1626.dmp2021-04-21 17:49:35.768 23542300x80000000000000001547778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9134AC71587070382E3B50C7A8F1486,SHA256=CCD5CF40217858B8B976DF17E40076A34D9AA41F4D90093D6F4543B98E448003falsefalse - insufficient disk space 11241100x80000000000000001547777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294821_WINWORD.EXE_3548_4412_1625.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294821_WINWORD.EXE_3548_4412_1624.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294822_WINWORD.EXE_3548_4412_1623.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294822_WINWORD.EXE_3548_4412_1622.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294823_WINWORD.EXE_3548_4412_1621.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.768{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294823_WINWORD.EXE_3548_4412_1620.dmp2021-04-21 17:49:35.768 11241100x80000000000000001547771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294824_WINWORD.EXE_3548_4412_1619.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294824_WINWORD.EXE_3548_4412_1618.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294825_WINWORD.EXE_3548_4412_1617.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294825_WINWORD.EXE_3548_4412_1616.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294826_WINWORD.EXE_3548_4412_1615.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294826_WINWORD.EXE_3548_4412_1614.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294827_WINWORD.EXE_3548_4412_1613.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294827_WINWORD.EXE_3548_4412_1612.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294827_WINWORD.EXE_3548_4412_1611.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294828_WINWORD.EXE_3548_4412_1610.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294828_WINWORD.EXE_3548_4412_1609.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294829_WINWORD.EXE_3548_4412_1608.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294829_WINWORD.EXE_3548_4412_1607.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294830_WINWORD.EXE_3548_4412_1606.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294830_WINWORD.EXE_3548_4412_1605.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294830_WINWORD.EXE_3548_4412_1604.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294831_WINWORD.EXE_3548_4412_1603.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294831_WINWORD.EXE_3548_4412_1602.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294832_WINWORD.EXE_3548_4412_1601.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294832_WINWORD.EXE_3548_4412_1600.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294833_WINWORD.EXE_3548_4412_1599.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294833_WINWORD.EXE_3548_4412_1598.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294834_WINWORD.EXE_3548_4412_1597.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294834_WINWORD.EXE_3548_4412_1596.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294835_WINWORD.EXE_3548_4412_1595.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294835_WINWORD.EXE_3548_4412_1594.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294835_WINWORD.EXE_3548_4412_1593.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294836_WINWORD.EXE_3548_4412_1592.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294836_WINWORD.EXE_3548_4412_1591.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294837_WINWORD.EXE_3548_4412_1590.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294837_WINWORD.EXE_3548_4412_1589.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294838_WINWORD.EXE_3548_4412_1588.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294838_WINWORD.EXE_3548_4412_1587.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294839_WINWORD.EXE_3548_4412_1586.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.753{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294839_WINWORD.EXE_3548_4412_1585.dmp2021-04-21 17:49:35.753 11241100x80000000000000001547736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294839_WINWORD.EXE_3548_4412_1584.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294840_WINWORD.EXE_3548_4412_1583.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294840_WINWORD.EXE_3548_4412_1582.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294841_WINWORD.EXE_3548_4412_1581.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294841_WINWORD.EXE_3548_4412_1580.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294842_WINWORD.EXE_3548_4412_1579.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294842_WINWORD.EXE_3548_4412_1578.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294842_WINWORD.EXE_3548_4412_1577.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294843_WINWORD.EXE_3548_4412_1576.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294843_WINWORD.EXE_3548_4412_1575.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294844_WINWORD.EXE_3548_4412_1574.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294844_WINWORD.EXE_3548_4412_1573.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294845_WINWORD.EXE_3548_4412_1572.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294845_WINWORD.EXE_3548_4412_1571.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294846_WINWORD.EXE_3548_4412_1570.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294846_WINWORD.EXE_3548_4412_1569.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294846_WINWORD.EXE_3548_4412_1568.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294847_WINWORD.EXE_3548_4412_1567.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294847_WINWORD.EXE_3548_4412_1566.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294848_WINWORD.EXE_3548_4412_1565.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294848_WINWORD.EXE_3548_4412_1564.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294849_WINWORD.EXE_3548_4412_1563.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294849_WINWORD.EXE_3548_4412_1562.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294850_WINWORD.EXE_3548_4412_1561.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294850_WINWORD.EXE_3548_4412_1560.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294851_WINWORD.EXE_3548_4412_1559.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294851_WINWORD.EXE_3548_4412_1558.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294851_WINWORD.EXE_3548_4412_1557.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294852_WINWORD.EXE_3548_4412_1556.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294852_WINWORD.EXE_3548_4412_1555.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294853_WINWORD.EXE_3548_4412_1554.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294853_WINWORD.EXE_3548_4412_1553.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294854_WINWORD.EXE_3548_4412_1552.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294854_WINWORD.EXE_3548_4412_1551.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.737{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294855_WINWORD.EXE_3548_4412_1550.dmp2021-04-21 17:49:35.737 11241100x80000000000000001547701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294855_WINWORD.EXE_3548_4412_1549.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294856_WINWORD.EXE_3548_4412_1548.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294856_WINWORD.EXE_3548_4412_1547.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294856_WINWORD.EXE_3548_4412_1546.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294857_WINWORD.EXE_3548_4412_1545.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294857_WINWORD.EXE_3548_4412_1544.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294858_WINWORD.EXE_3548_4412_1543.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294858_WINWORD.EXE_3548_4412_1542.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294859_WINWORD.EXE_3548_4412_1541.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294859_WINWORD.EXE_3548_4412_1540.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294860_WINWORD.EXE_3548_4412_1539.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294860_WINWORD.EXE_3548_4412_1538.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294861_WINWORD.EXE_3548_4412_1537.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294861_WINWORD.EXE_3548_4412_1536.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294862_WINWORD.EXE_3548_4412_1535.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294862_WINWORD.EXE_3548_4412_1534.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294863_WINWORD.EXE_3548_4412_1533.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 11241100x80000000000000001547683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294863_WINWORD.EXE_3548_4412_1532.dmp2021-04-21 17:49:35.721 23542300x80000000000000001547682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBFF8C9711C925AF5A1DEE1028107E7,SHA256=D435B101CD7F9014BC8B0A34C4C8050A137905C7320407C99DD33F51B5B90E4Bfalsefalse - insufficient disk space 11241100x80000000000000001547681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294864_WINWORD.EXE_3548_4412_1531.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294864_WINWORD.EXE_3548_4412_1530.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294865_WINWORD.EXE_3548_4412_1529.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294865_WINWORD.EXE_3548_4412_1528.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294866_WINWORD.EXE_3548_4412_1527.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294867_WINWORD.EXE_3548_4412_1526.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294867_WINWORD.EXE_3548_4412_1525.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294868_WINWORD.EXE_3548_4412_1524.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294868_WINWORD.EXE_3548_4412_1523.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294869_WINWORD.EXE_3548_4412_1522.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294869_WINWORD.EXE_3548_4412_1521.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294870_WINWORD.EXE_3548_4412_1520.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294870_WINWORD.EXE_3548_4412_1519.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294871_WINWORD.EXE_3548_4412_1518.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294871_WINWORD.EXE_3548_4412_1517.dmp2021-04-21 17:49:35.721 11241100x80000000000000001547666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.721{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294872_WINWORD.EXE_3548_4412_1516.dmp2021-04-21 17:49:35.720 11241100x80000000000000001547665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.720{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294872_WINWORD.EXE_3548_4412_1515.dmp2021-04-21 17:49:35.720 11241100x80000000000000001547664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.720{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294873_WINWORD.EXE_3548_4412_1514.dmp2021-04-21 17:49:35.719 11241100x80000000000000001547663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.719{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294873_WINWORD.EXE_3548_4412_1513.dmp2021-04-21 17:49:35.719 11241100x80000000000000001547662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.718{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294874_WINWORD.EXE_3548_4412_1512.dmp2021-04-21 17:49:35.718 11241100x80000000000000001547661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.718{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294875_WINWORD.EXE_3548_4412_1511.dmp2021-04-21 17:49:35.717 11241100x80000000000000001547660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.717{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294875_WINWORD.EXE_3548_4412_1510.dmp2021-04-21 17:49:35.717 11241100x80000000000000001547659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.716{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294876_WINWORD.EXE_3548_4412_1509.dmp2021-04-21 17:49:35.716 11241100x80000000000000001547658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.716{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294876_WINWORD.EXE_3548_4412_1508.dmp2021-04-21 17:49:35.716 11241100x80000000000000001547657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.715{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294877_WINWORD.EXE_3548_4412_1507.dmp2021-04-21 17:49:35.715 11241100x80000000000000001547656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294877_WINWORD.EXE_3548_4412_1506.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294878_WINWORD.EXE_3548_4412_1505.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294878_WINWORD.EXE_3548_4412_1504.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294879_WINWORD.EXE_3548_4412_1503.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294879_WINWORD.EXE_3548_4412_1502.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294880_WINWORD.EXE_3548_4412_1501.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294880_WINWORD.EXE_3548_4412_1500.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294880_WINWORD.EXE_3548_4412_1499.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294881_WINWORD.EXE_3548_4412_1498.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294881_WINWORD.EXE_3548_4412_1497.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294882_WINWORD.EXE_3548_4412_1496.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294882_WINWORD.EXE_3548_4412_1495.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294883_WINWORD.EXE_3548_4412_1494.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294883_WINWORD.EXE_3548_4412_1493.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294884_WINWORD.EXE_3548_4412_1492.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294884_WINWORD.EXE_3548_4412_1491.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294884_WINWORD.EXE_3548_4412_1490.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294885_WINWORD.EXE_3548_4412_1489.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294885_WINWORD.EXE_3548_4412_1488.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294886_WINWORD.EXE_3548_4412_1487.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294886_WINWORD.EXE_3548_4412_1486.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294887_WINWORD.EXE_3548_4412_1485.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294887_WINWORD.EXE_3548_4412_1484.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294890_WINWORD.EXE_3548_4412_1483.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294890_WINWORD.EXE_3548_4412_1482.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294891_WINWORD.EXE_3548_4412_1481.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294891_WINWORD.EXE_3548_4412_1480.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294892_WINWORD.EXE_3548_4412_1479.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294892_WINWORD.EXE_3548_4412_1478.dmp2021-04-21 17:49:35.699 11241100x80000000000000001547627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.699{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294893_WINWORD.EXE_3548_4412_1477.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294893_WINWORD.EXE_3548_4412_1476.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294894_WINWORD.EXE_3548_4412_1475.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294894_WINWORD.EXE_3548_4412_1474.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294894_WINWORD.EXE_3548_4412_1473.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294895_WINWORD.EXE_3548_4412_1472.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294895_WINWORD.EXE_3548_4412_1471.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294896_WINWORD.EXE_3548_4412_1470.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294896_WINWORD.EXE_3548_4412_1469.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294897_WINWORD.EXE_3548_4412_1468.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294897_WINWORD.EXE_3548_4412_1467.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294898_WINWORD.EXE_3548_4412_1466.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294898_WINWORD.EXE_3548_4412_1465.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294899_WINWORD.EXE_3548_4412_1464.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294899_WINWORD.EXE_3548_4412_1463.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294899_WINWORD.EXE_3548_4412_1462.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294900_WINWORD.EXE_3548_4412_1461.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294900_WINWORD.EXE_3548_4412_1460.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294901_WINWORD.EXE_3548_4412_1459.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294901_WINWORD.EXE_3548_4412_1458.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294902_WINWORD.EXE_3548_4412_1457.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294902_WINWORD.EXE_3548_4412_1456.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294903_WINWORD.EXE_3548_4412_1455.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294903_WINWORD.EXE_3548_4412_1454.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294903_WINWORD.EXE_3548_4412_1453.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294904_WINWORD.EXE_3548_4412_1452.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294904_WINWORD.EXE_3548_4412_1451.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294905_WINWORD.EXE_3548_4412_1450.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294905_WINWORD.EXE_3548_4412_1449.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294906_WINWORD.EXE_3548_4412_1448.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294906_WINWORD.EXE_3548_4412_1447.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294907_WINWORD.EXE_3548_4412_1446.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294907_WINWORD.EXE_3548_4412_1445.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294908_WINWORD.EXE_3548_4412_1444.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.684{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294908_WINWORD.EXE_3548_4412_1443.dmp2021-04-21 17:49:35.684 11241100x80000000000000001547592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294908_WINWORD.EXE_3548_4412_1442.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294909_WINWORD.EXE_3548_4412_1441.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294909_WINWORD.EXE_3548_4412_1440.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294910_WINWORD.EXE_3548_4412_1439.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294910_WINWORD.EXE_3548_4412_1438.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294911_WINWORD.EXE_3548_4412_1437.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294911_WINWORD.EXE_3548_4412_1436.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294911_WINWORD.EXE_3548_4412_1435.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294912_WINWORD.EXE_3548_4412_1434.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294912_WINWORD.EXE_3548_4412_1433.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294913_WINWORD.EXE_3548_4412_1432.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294913_WINWORD.EXE_3548_4412_1431.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294914_WINWORD.EXE_3548_4412_1430.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294914_WINWORD.EXE_3548_4412_1429.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294914_WINWORD.EXE_3548_4412_1428.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294915_WINWORD.EXE_3548_4412_1427.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294915_WINWORD.EXE_3548_4412_1426.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294916_WINWORD.EXE_3548_4412_1425.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294916_WINWORD.EXE_3548_4412_1424.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294917_WINWORD.EXE_3548_4412_1423.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294917_WINWORD.EXE_3548_4412_1422.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294918_WINWORD.EXE_3548_4412_1421.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294918_WINWORD.EXE_3548_4412_1420.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294919_WINWORD.EXE_3548_4412_1419.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294919_WINWORD.EXE_3548_4412_1418.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294920_WINWORD.EXE_3548_4412_1417.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294920_WINWORD.EXE_3548_4412_1416.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294921_WINWORD.EXE_3548_4412_1415.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294921_WINWORD.EXE_3548_4412_1414.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294921_WINWORD.EXE_3548_4412_1413.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294922_WINWORD.EXE_3548_4412_1412.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294922_WINWORD.EXE_3548_4412_1411.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294923_WINWORD.EXE_3548_4412_1410.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294923_WINWORD.EXE_3548_4412_1409.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.668{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294924_WINWORD.EXE_3548_4412_1408.dmp2021-04-21 17:49:35.668 11241100x80000000000000001547557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294924_WINWORD.EXE_3548_4412_1407.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294925_WINWORD.EXE_3548_4412_1406.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294925_WINWORD.EXE_3548_4412_1405.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294925_WINWORD.EXE_3548_4412_1404.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294926_WINWORD.EXE_3548_4412_1403.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294926_WINWORD.EXE_3548_4412_1402.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294927_WINWORD.EXE_3548_4412_1401.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294927_WINWORD.EXE_3548_4412_1400.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294928_WINWORD.EXE_3548_4412_1399.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294928_WINWORD.EXE_3548_4412_1398.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294928_WINWORD.EXE_3548_4412_1397.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294929_WINWORD.EXE_3548_4412_1396.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294929_WINWORD.EXE_3548_4412_1395.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294930_WINWORD.EXE_3548_4412_1394.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294930_WINWORD.EXE_3548_4412_1393.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294931_WINWORD.EXE_3548_4412_1392.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294931_WINWORD.EXE_3548_4412_1391.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294931_WINWORD.EXE_3548_4412_1390.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294932_WINWORD.EXE_3548_4412_1389.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294932_WINWORD.EXE_3548_4412_1388.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294933_WINWORD.EXE_3548_4412_1387.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294933_WINWORD.EXE_3548_4412_1386.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294934_WINWORD.EXE_3548_4412_1385.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294934_WINWORD.EXE_3548_4412_1384.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294935_WINWORD.EXE_3548_4412_1383.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294935_WINWORD.EXE_3548_4412_1382.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294935_WINWORD.EXE_3548_4412_1381.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294936_WINWORD.EXE_3548_4412_1380.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294936_WINWORD.EXE_3548_4412_1379.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294937_WINWORD.EXE_3548_4412_1378.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294937_WINWORD.EXE_3548_4412_1377.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294938_WINWORD.EXE_3548_4412_1376.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294938_WINWORD.EXE_3548_4412_1375.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294939_WINWORD.EXE_3548_4412_1374.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294939_WINWORD.EXE_3548_4412_1373.dmp2021-04-21 17:49:35.653 11241100x80000000000000001547522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.653{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294940_WINWORD.EXE_3548_4412_1372.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294940_WINWORD.EXE_3548_4412_1371.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294940_WINWORD.EXE_3548_4412_1370.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294941_WINWORD.EXE_3548_4412_1369.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294941_WINWORD.EXE_3548_4412_1368.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294942_WINWORD.EXE_3548_4412_1367.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294942_WINWORD.EXE_3548_4412_1366.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294943_WINWORD.EXE_3548_4412_1365.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294943_WINWORD.EXE_3548_4412_1364.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294943_WINWORD.EXE_3548_4412_1363.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294944_WINWORD.EXE_3548_4412_1362.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294944_WINWORD.EXE_3548_4412_1361.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294945_WINWORD.EXE_3548_4412_1360.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294945_WINWORD.EXE_3548_4412_1359.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294946_WINWORD.EXE_3548_4412_1358.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294946_WINWORD.EXE_3548_4412_1357.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294947_WINWORD.EXE_3548_4412_1356.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294947_WINWORD.EXE_3548_4412_1355.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294947_WINWORD.EXE_3548_4412_1354.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294948_WINWORD.EXE_3548_4412_1353.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294948_WINWORD.EXE_3548_4412_1352.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294949_WINWORD.EXE_3548_4412_1351.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294949_WINWORD.EXE_3548_4412_1350.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294950_WINWORD.EXE_3548_4412_1349.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294950_WINWORD.EXE_3548_4412_1348.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294951_WINWORD.EXE_3548_4412_1347.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294951_WINWORD.EXE_3548_4412_1346.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294951_WINWORD.EXE_3548_4412_1345.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294952_WINWORD.EXE_3548_4412_1344.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294952_WINWORD.EXE_3548_4412_1343.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294953_WINWORD.EXE_3548_4412_1342.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294953_WINWORD.EXE_3548_4412_1341.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294954_WINWORD.EXE_3548_4412_1340.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294954_WINWORD.EXE_3548_4412_1339.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294954_WINWORD.EXE_3548_4412_1338.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.637{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294955_WINWORD.EXE_3548_4412_1337.dmp2021-04-21 17:49:35.637 11241100x80000000000000001547486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294955_WINWORD.EXE_3548_4412_1336.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294956_WINWORD.EXE_3548_4412_1335.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294956_WINWORD.EXE_3548_4412_1334.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294957_WINWORD.EXE_3548_4412_1333.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294957_WINWORD.EXE_3548_4412_1332.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294957_WINWORD.EXE_3548_4412_1331.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294958_WINWORD.EXE_3548_4412_1330.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294958_WINWORD.EXE_3548_4412_1329.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294959_WINWORD.EXE_3548_4412_1328.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294959_WINWORD.EXE_3548_4412_1327.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294960_WINWORD.EXE_3548_4412_1326.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294960_WINWORD.EXE_3548_4412_1325.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294961_WINWORD.EXE_3548_4412_1324.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294961_WINWORD.EXE_3548_4412_1323.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294961_WINWORD.EXE_3548_4412_1322.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294962_WINWORD.EXE_3548_4412_1321.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294962_WINWORD.EXE_3548_4412_1320.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294963_WINWORD.EXE_3548_4412_1319.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294963_WINWORD.EXE_3548_4412_1318.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294964_WINWORD.EXE_3548_4412_1317.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294964_WINWORD.EXE_3548_4412_1316.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294964_WINWORD.EXE_3548_4412_1315.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294965_WINWORD.EXE_3548_4412_1314.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294965_WINWORD.EXE_3548_4412_1313.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294966_WINWORD.EXE_3548_4412_1312.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294966_WINWORD.EXE_3548_4412_1311.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294967_WINWORD.EXE_3548_4412_1310.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294967_WINWORD.EXE_3548_4412_1309.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294968_WINWORD.EXE_3548_4412_1308.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294968_WINWORD.EXE_3548_4412_1307.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294968_WINWORD.EXE_3548_4412_1306.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294969_WINWORD.EXE_3548_4412_1305.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294969_WINWORD.EXE_3548_4412_1304.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294970_WINWORD.EXE_3548_4412_1303.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294970_WINWORD.EXE_3548_4412_1302.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294971_WINWORD.EXE_3548_4412_1301.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.621{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294971_WINWORD.EXE_3548_4412_1300.dmp2021-04-21 17:49:35.621 11241100x80000000000000001547449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.620{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294972_WINWORD.EXE_3548_4412_1299.dmp2021-04-21 17:49:35.620 11241100x80000000000000001547448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.620{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294972_WINWORD.EXE_3548_4412_1298.dmp2021-04-21 17:49:35.620 11241100x80000000000000001547447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.619{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294973_WINWORD.EXE_3548_4412_1297.dmp2021-04-21 17:49:35.619 11241100x80000000000000001547446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.619{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294973_WINWORD.EXE_3548_4412_1296.dmp2021-04-21 17:49:35.618 11241100x80000000000000001547445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.619{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001547444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.618{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C29C13482E40F9F0D273BDA0EFBB18,SHA256=C5518020B773909FA244A65066382953C7C124472B0AF6063749BBC7B11DC413falsefalse - insufficient disk space 11241100x80000000000000001547443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.618{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294974_WINWORD.EXE_3548_4412_1295.dmp2021-04-21 17:49:35.618 11241100x80000000000000001547442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.617{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294975_WINWORD.EXE_3548_4412_1294.dmp2021-04-21 17:49:35.617 11241100x80000000000000001547441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.617{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294975_WINWORD.EXE_3548_4412_1293.dmp2021-04-21 17:49:35.617 11241100x80000000000000001547440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.616{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294976_WINWORD.EXE_3548_4412_1292.dmp2021-04-21 17:49:35.616 11241100x80000000000000001547439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.616{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294976_WINWORD.EXE_3548_4412_1291.dmp2021-04-21 17:49:35.615 11241100x80000000000000001547438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.615{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294977_WINWORD.EXE_3548_4412_1290.dmp2021-04-21 17:49:35.615 11241100x80000000000000001547437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.615{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294977_WINWORD.EXE_3548_4412_1289.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294978_WINWORD.EXE_3548_4412_1288.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294978_WINWORD.EXE_3548_4412_1287.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294979_WINWORD.EXE_3548_4412_1286.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294979_WINWORD.EXE_3548_4412_1285.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294980_WINWORD.EXE_3548_4412_1284.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294980_WINWORD.EXE_3548_4412_1283.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294980_WINWORD.EXE_3548_4412_1282.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294981_WINWORD.EXE_3548_4412_1281.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294981_WINWORD.EXE_3548_4412_1280.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294982_WINWORD.EXE_3548_4412_1279.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294982_WINWORD.EXE_3548_4412_1278.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294983_WINWORD.EXE_3548_4412_1277.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294983_WINWORD.EXE_3548_4412_1276.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294984_WINWORD.EXE_3548_4412_1275.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294984_WINWORD.EXE_3548_4412_1274.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294984_WINWORD.EXE_3548_4412_1273.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294985_WINWORD.EXE_3548_4412_1272.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294985_WINWORD.EXE_3548_4412_1271.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294986_WINWORD.EXE_3548_4412_1270.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294986_WINWORD.EXE_3548_4412_1269.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294987_WINWORD.EXE_3548_4412_1268.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294987_WINWORD.EXE_3548_4412_1267.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294987_WINWORD.EXE_3548_4412_1266.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294990_WINWORD.EXE_3548_4412_1265.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294991_WINWORD.EXE_3548_4412_1264.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294991_WINWORD.EXE_3548_4412_1263.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294992_WINWORD.EXE_3548_4412_1262.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294992_WINWORD.EXE_3548_4412_1261.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.599{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294993_WINWORD.EXE_3548_4412_1260.dmp2021-04-21 17:49:35.599 11241100x80000000000000001547407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294993_WINWORD.EXE_3548_4412_1259.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294994_WINWORD.EXE_3548_4412_1258.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294994_WINWORD.EXE_3548_4412_1257.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294995_WINWORD.EXE_3548_4412_1256.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294995_WINWORD.EXE_3548_4412_1255.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294995_WINWORD.EXE_3548_4412_1254.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294996_WINWORD.EXE_3548_4412_1253.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294996_WINWORD.EXE_3548_4412_1252.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294997_WINWORD.EXE_3548_4412_1251.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294997_WINWORD.EXE_3548_4412_1250.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294998_WINWORD.EXE_3548_4412_1249.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294998_WINWORD.EXE_3548_4412_1248.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294998_WINWORD.EXE_3548_4412_1247.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294999_WINWORD.EXE_3548_4412_1246.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175294999_WINWORD.EXE_3548_4412_1245.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295000_WINWORD.EXE_3548_4412_1244.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295000_WINWORD.EXE_3548_4412_1243.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295001_WINWORD.EXE_3548_4412_1242.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295001_WINWORD.EXE_3548_4412_1241.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295002_WINWORD.EXE_3548_4412_1240.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295002_WINWORD.EXE_3548_4412_1239.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295002_WINWORD.EXE_3548_4412_1238.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295003_WINWORD.EXE_3548_4412_1237.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295003_WINWORD.EXE_3548_4412_1236.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295004_WINWORD.EXE_3548_4412_1235.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295004_WINWORD.EXE_3548_4412_1234.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295005_WINWORD.EXE_3548_4412_1233.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295005_WINWORD.EXE_3548_4412_1232.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295006_WINWORD.EXE_3548_4412_1231.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295006_WINWORD.EXE_3548_4412_1230.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295006_WINWORD.EXE_3548_4412_1229.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295007_WINWORD.EXE_3548_4412_1228.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.584{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295011_WINWORD.EXE_3548_4412_1227.dmp2021-04-21 17:49:35.584 11241100x80000000000000001547374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295011_WINWORD.EXE_3548_4412_1226.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295012_WINWORD.EXE_3548_4412_1225.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295012_WINWORD.EXE_3548_4412_1224.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295013_WINWORD.EXE_3548_4412_1223.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295013_WINWORD.EXE_3548_4412_1222.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295014_WINWORD.EXE_3548_4412_1221.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295014_WINWORD.EXE_3548_4412_1220.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295014_WINWORD.EXE_3548_4412_1219.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295015_WINWORD.EXE_3548_4412_1218.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295015_WINWORD.EXE_3548_4412_1217.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295016_WINWORD.EXE_3548_4412_1216.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295016_WINWORD.EXE_3548_4412_1215.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295017_WINWORD.EXE_3548_4412_1214.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295017_WINWORD.EXE_3548_4412_1213.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295018_WINWORD.EXE_3548_4412_1212.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295018_WINWORD.EXE_3548_4412_1211.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295018_WINWORD.EXE_3548_4412_1210.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295019_WINWORD.EXE_3548_4412_1209.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295019_WINWORD.EXE_3548_4412_1208.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295020_WINWORD.EXE_3548_4412_1207.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295020_WINWORD.EXE_3548_4412_1206.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295021_WINWORD.EXE_3548_4412_1205.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295021_WINWORD.EXE_3548_4412_1204.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295021_WINWORD.EXE_3548_4412_1203.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295022_WINWORD.EXE_3548_4412_1202.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295022_WINWORD.EXE_3548_4412_1201.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295023_WINWORD.EXE_3548_4412_1200.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295023_WINWORD.EXE_3548_4412_1199.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295024_WINWORD.EXE_3548_4412_1198.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.568{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295024_WINWORD.EXE_3548_4412_1197.dmp2021-04-21 17:49:35.568 11241100x80000000000000001547344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295025_WINWORD.EXE_3548_4412_1196.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295025_WINWORD.EXE_3548_4412_1195.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295025_WINWORD.EXE_3548_4412_1194.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295026_WINWORD.EXE_3548_4412_1193.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295026_WINWORD.EXE_3548_4412_1192.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295027_WINWORD.EXE_3548_4412_1191.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295027_WINWORD.EXE_3548_4412_1190.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295028_WINWORD.EXE_3548_4412_1189.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295028_WINWORD.EXE_3548_4412_1188.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295028_WINWORD.EXE_3548_4412_1187.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295029_WINWORD.EXE_3548_4412_1186.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295029_WINWORD.EXE_3548_4412_1185.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295030_WINWORD.EXE_3548_4412_1184.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295030_WINWORD.EXE_3548_4412_1183.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295031_WINWORD.EXE_3548_4412_1182.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295031_WINWORD.EXE_3548_4412_1181.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295031_WINWORD.EXE_3548_4412_1180.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295032_WINWORD.EXE_3548_4412_1179.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295032_WINWORD.EXE_3548_4412_1178.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295033_WINWORD.EXE_3548_4412_1177.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295033_WINWORD.EXE_3548_4412_1176.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295034_WINWORD.EXE_3548_4412_1175.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295034_WINWORD.EXE_3548_4412_1174.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295034_WINWORD.EXE_3548_4412_1173.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295035_WINWORD.EXE_3548_4412_1172.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295035_WINWORD.EXE_3548_4412_1171.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295036_WINWORD.EXE_3548_4412_1170.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295036_WINWORD.EXE_3548_4412_1169.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295037_WINWORD.EXE_3548_4412_1168.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295037_WINWORD.EXE_3548_4412_1167.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295038_WINWORD.EXE_3548_4412_1166.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295038_WINWORD.EXE_3548_4412_1165.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295038_WINWORD.EXE_3548_4412_1164.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295039_WINWORD.EXE_3548_4412_1163.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295039_WINWORD.EXE_3548_4412_1162.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.552{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295040_WINWORD.EXE_3548_4412_1161.dmp2021-04-21 17:49:35.552 11241100x80000000000000001547308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295040_WINWORD.EXE_3548_4412_1160.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295041_WINWORD.EXE_3548_4412_1159.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295041_WINWORD.EXE_3548_4412_1158.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295042_WINWORD.EXE_3548_4412_1157.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295042_WINWORD.EXE_3548_4412_1156.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295042_WINWORD.EXE_3548_4412_1155.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295043_WINWORD.EXE_3548_4412_1154.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295043_WINWORD.EXE_3548_4412_1153.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295044_WINWORD.EXE_3548_4412_1152.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295044_WINWORD.EXE_3548_4412_1151.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295045_WINWORD.EXE_3548_4412_1150.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295045_WINWORD.EXE_3548_4412_1149.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295045_WINWORD.EXE_3548_4412_1148.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295046_WINWORD.EXE_3548_4412_1147.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295046_WINWORD.EXE_3548_4412_1146.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295047_WINWORD.EXE_3548_4412_1145.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295047_WINWORD.EXE_3548_4412_1144.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295048_WINWORD.EXE_3548_4412_1143.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295048_WINWORD.EXE_3548_4412_1142.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295048_WINWORD.EXE_3548_4412_1141.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295049_WINWORD.EXE_3548_4412_1140.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295049_WINWORD.EXE_3548_4412_1139.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295050_WINWORD.EXE_3548_4412_1138.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295050_WINWORD.EXE_3548_4412_1137.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295051_WINWORD.EXE_3548_4412_1136.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295051_WINWORD.EXE_3548_4412_1135.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295051_WINWORD.EXE_3548_4412_1134.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295052_WINWORD.EXE_3548_4412_1133.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295052_WINWORD.EXE_3548_4412_1132.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295053_WINWORD.EXE_3548_4412_1131.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295053_WINWORD.EXE_3548_4412_1130.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295054_WINWORD.EXE_3548_4412_1129.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295054_WINWORD.EXE_3548_4412_1128.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295054_WINWORD.EXE_3548_4412_1127.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295055_WINWORD.EXE_3548_4412_1126.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.537{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295055_WINWORD.EXE_3548_4412_1125.dmp2021-04-21 17:49:35.537 11241100x80000000000000001547272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295056_WINWORD.EXE_3548_4412_1124.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295056_WINWORD.EXE_3548_4412_1123.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295057_WINWORD.EXE_3548_4412_1122.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295057_WINWORD.EXE_3548_4412_1121.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295058_WINWORD.EXE_3548_4412_1120.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295058_WINWORD.EXE_3548_4412_1119.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295058_WINWORD.EXE_3548_4412_1118.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295059_WINWORD.EXE_3548_4412_1117.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295059_WINWORD.EXE_3548_4412_1116.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295060_WINWORD.EXE_3548_4412_1115.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295060_WINWORD.EXE_3548_4412_1114.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295061_WINWORD.EXE_3548_4412_1113.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295061_WINWORD.EXE_3548_4412_1112.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295062_WINWORD.EXE_3548_4412_1111.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295062_WINWORD.EXE_3548_4412_1110.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295063_WINWORD.EXE_3548_4412_1109.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295063_WINWORD.EXE_3548_4412_1108.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295063_WINWORD.EXE_3548_4412_1107.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295064_WINWORD.EXE_3548_4412_1106.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295064_WINWORD.EXE_3548_4412_1105.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295065_WINWORD.EXE_3548_4412_1104.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295065_WINWORD.EXE_3548_4412_1103.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295066_WINWORD.EXE_3548_4412_1102.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295066_WINWORD.EXE_3548_4412_1101.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295066_WINWORD.EXE_3548_4412_1100.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295067_WINWORD.EXE_3548_4412_1099.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295067_WINWORD.EXE_3548_4412_1098.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295068_WINWORD.EXE_3548_4412_1097.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295068_WINWORD.EXE_3548_4412_1096.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295069_WINWORD.EXE_3548_4412_1095.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295069_WINWORD.EXE_3548_4412_1094.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295069_WINWORD.EXE_3548_4412_1093.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295070_WINWORD.EXE_3548_4412_1092.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295070_WINWORD.EXE_3548_4412_1091.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295071_WINWORD.EXE_3548_4412_1090.dmp2021-04-21 17:49:35.521 11241100x80000000000000001547237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.521{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295071_WINWORD.EXE_3548_4412_1089.dmp2021-04-21 17:49:35.520 11241100x80000000000000001547236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.520{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295072_WINWORD.EXE_3548_4412_1088.dmp2021-04-21 17:49:35.520 11241100x80000000000000001547235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.520{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295072_WINWORD.EXE_3548_4412_1087.dmp2021-04-21 17:49:35.519 11241100x80000000000000001547234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.519{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295073_WINWORD.EXE_3548_4412_1086.dmp2021-04-21 17:49:35.519 11241100x80000000000000001547233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.519{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295073_WINWORD.EXE_3548_4412_1085.dmp2021-04-21 17:49:35.519 11241100x80000000000000001547232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.519{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295074_WINWORD.EXE_3548_4412_1084.dmp2021-04-21 17:49:35.519 11241100x80000000000000001547231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.518{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295074_WINWORD.EXE_3548_4412_1083.dmp2021-04-21 17:49:35.518 11241100x80000000000000001547230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.518{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295074_WINWORD.EXE_3548_4412_1082.dmp2021-04-21 17:49:35.518 11241100x80000000000000001547229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.517{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295075_WINWORD.EXE_3548_4412_1081.dmp2021-04-21 17:49:35.517 11241100x80000000000000001547228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.517{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295075_WINWORD.EXE_3548_4412_1080.dmp2021-04-21 17:49:35.517 11241100x80000000000000001547227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.516{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295076_WINWORD.EXE_3548_4412_1079.dmp2021-04-21 17:49:35.516 11241100x80000000000000001547226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.516{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295076_WINWORD.EXE_3548_4412_1078.dmp2021-04-21 17:49:35.516 11241100x80000000000000001547225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.515{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295077_WINWORD.EXE_3548_4412_1077.dmp2021-04-21 17:49:35.515 11241100x80000000000000001547224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.515{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295077_WINWORD.EXE_3548_4412_1076.dmp2021-04-21 17:49:35.515 11241100x80000000000000001547223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.515{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295078_WINWORD.EXE_3548_4412_1075.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295078_WINWORD.EXE_3548_4412_1074.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295078_WINWORD.EXE_3548_4412_1073.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295079_WINWORD.EXE_3548_4412_1072.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295079_WINWORD.EXE_3548_4412_1071.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295080_WINWORD.EXE_3548_4412_1070.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295080_WINWORD.EXE_3548_4412_1069.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295081_WINWORD.EXE_3548_4412_1068.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295081_WINWORD.EXE_3548_4412_1067.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295082_WINWORD.EXE_3548_4412_1066.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295082_WINWORD.EXE_3548_4412_1065.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295082_WINWORD.EXE_3548_4412_1064.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295083_WINWORD.EXE_3548_4412_1063.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295083_WINWORD.EXE_3548_4412_1062.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295084_WINWORD.EXE_3548_4412_1061.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295084_WINWORD.EXE_3548_4412_1060.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295085_WINWORD.EXE_3548_4412_1059.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295085_WINWORD.EXE_3548_4412_1058.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295086_WINWORD.EXE_3548_4412_1057.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295086_WINWORD.EXE_3548_4412_1056.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295086_WINWORD.EXE_3548_4412_1055.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295087_WINWORD.EXE_3548_4412_1054.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295087_WINWORD.EXE_3548_4412_1053.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295088_WINWORD.EXE_3548_4412_1052.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295088_WINWORD.EXE_3548_4412_1051.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295089_WINWORD.EXE_3548_4412_1050.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295089_WINWORD.EXE_3548_4412_1049.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295089_WINWORD.EXE_3548_4412_1048.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295090_WINWORD.EXE_3548_4412_1047.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295090_WINWORD.EXE_3548_4412_1046.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295091_WINWORD.EXE_3548_4412_1045.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295091_WINWORD.EXE_3548_4412_1044.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295092_WINWORD.EXE_3548_4412_1043.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295092_WINWORD.EXE_3548_4412_1042.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295093_WINWORD.EXE_3548_4412_1041.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.499{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295093_WINWORD.EXE_3548_4412_1040.dmp2021-04-21 17:49:35.499 11241100x80000000000000001547187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295093_WINWORD.EXE_3548_4412_1039.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295094_WINWORD.EXE_3548_4412_1038.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295094_WINWORD.EXE_3548_4412_1037.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295095_WINWORD.EXE_3548_4412_1036.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295095_WINWORD.EXE_3548_4412_1035.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295096_WINWORD.EXE_3548_4412_1034.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295096_WINWORD.EXE_3548_4412_1033.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295097_WINWORD.EXE_3548_4412_1032.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295097_WINWORD.EXE_3548_4412_1031.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295097_WINWORD.EXE_3548_4412_1030.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295098_WINWORD.EXE_3548_4412_1029.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295098_WINWORD.EXE_3548_4412_1028.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295099_WINWORD.EXE_3548_4412_1027.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295099_WINWORD.EXE_3548_4412_1026.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295100_WINWORD.EXE_3548_4412_1025.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295100_WINWORD.EXE_3548_4412_1024.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295100_WINWORD.EXE_3548_4412_1023.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295101_WINWORD.EXE_3548_4412_1022.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295101_WINWORD.EXE_3548_4412_1021.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295102_WINWORD.EXE_3548_4412_1020.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295102_WINWORD.EXE_3548_4412_1019.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295103_WINWORD.EXE_3548_4412_1018.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295103_WINWORD.EXE_3548_4412_1017.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295104_WINWORD.EXE_3548_4412_1016.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295104_WINWORD.EXE_3548_4412_1015.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295104_WINWORD.EXE_3548_4412_1014.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295105_WINWORD.EXE_3548_4412_1013.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295105_WINWORD.EXE_3548_4412_1012.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295106_WINWORD.EXE_3548_4412_1011.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295106_WINWORD.EXE_3548_4412_1010.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295107_WINWORD.EXE_3548_4412_1009.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295107_WINWORD.EXE_3548_4412_1008.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295108_WINWORD.EXE_3548_4412_1007.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295108_WINWORD.EXE_3548_4412_1006.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.483{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295108_WINWORD.EXE_3548_4412_1005.dmp2021-04-21 17:49:35.483 11241100x80000000000000001547152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295109_WINWORD.EXE_3548_4412_1004.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295109_WINWORD.EXE_3548_4412_1003.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295110_WINWORD.EXE_3548_4412_1002.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295110_WINWORD.EXE_3548_4412_1001.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295111_WINWORD.EXE_3548_4412_1000.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295111_WINWORD.EXE_3548_4412_999.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295112_WINWORD.EXE_3548_4412_998.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295112_WINWORD.EXE_3548_4412_997.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295112_WINWORD.EXE_3548_4412_996.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295113_WINWORD.EXE_3548_4412_995.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295113_WINWORD.EXE_3548_4412_994.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295114_WINWORD.EXE_3548_4412_993.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295114_WINWORD.EXE_3548_4412_992.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295115_WINWORD.EXE_3548_4412_991.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295115_WINWORD.EXE_3548_4412_990.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295116_WINWORD.EXE_3548_4412_989.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295116_WINWORD.EXE_3548_4412_988.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295117_WINWORD.EXE_3548_4412_987.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295117_WINWORD.EXE_3548_4412_986.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295117_WINWORD.EXE_3548_4412_985.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295118_WINWORD.EXE_3548_4412_984.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295118_WINWORD.EXE_3548_4412_983.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295119_WINWORD.EXE_3548_4412_982.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295119_WINWORD.EXE_3548_4412_981.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295120_WINWORD.EXE_3548_4412_980.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295120_WINWORD.EXE_3548_4412_979.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295121_WINWORD.EXE_3548_4412_978.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295121_WINWORD.EXE_3548_4412_977.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295121_WINWORD.EXE_3548_4412_976.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295122_WINWORD.EXE_3548_4412_975.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295122_WINWORD.EXE_3548_4412_974.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295123_WINWORD.EXE_3548_4412_973.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295123_WINWORD.EXE_3548_4412_972.dmp2021-04-21 17:49:35.468 11241100x80000000000000001547119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.468{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295126_WINWORD.EXE_3548_4412_971.dmp2021-04-21 17:49:35.468 13241300x80000000000000001547118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.468{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080502\VirtualDesktopBinary Data 12241200x80000000000000001547117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:35.468{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080502 11241100x80000000000000001547116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295127_WINWORD.EXE_3548_4412_970.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295127_WINWORD.EXE_3548_4412_969.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295128_WINWORD.EXE_3548_4412_968.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295128_WINWORD.EXE_3548_4412_967.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295129_WINWORD.EXE_3548_4412_966.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295129_WINWORD.EXE_3548_4412_965.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295129_WINWORD.EXE_3548_4412_964.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295130_WINWORD.EXE_3548_4412_963.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295130_WINWORD.EXE_3548_4412_962.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295131_WINWORD.EXE_3548_4412_961.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295131_WINWORD.EXE_3548_4412_960.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295132_WINWORD.EXE_3548_4412_959.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295132_WINWORD.EXE_3548_4412_958.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295133_WINWORD.EXE_3548_4412_957.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295133_WINWORD.EXE_3548_4412_956.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295133_WINWORD.EXE_3548_4412_955.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295134_WINWORD.EXE_3548_4412_954.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295134_WINWORD.EXE_3548_4412_953.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295135_WINWORD.EXE_3548_4412_952.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295135_WINWORD.EXE_3548_4412_951.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295136_WINWORD.EXE_3548_4412_950.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295136_WINWORD.EXE_3548_4412_949.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295136_WINWORD.EXE_3548_4412_948.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295137_WINWORD.EXE_3548_4412_947.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295137_WINWORD.EXE_3548_4412_946.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295138_WINWORD.EXE_3548_4412_945.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295138_WINWORD.EXE_3548_4412_944.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295139_WINWORD.EXE_3548_4412_943.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295139_WINWORD.EXE_3548_4412_942.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295139_WINWORD.EXE_3548_4412_941.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.452{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295140_WINWORD.EXE_3548_4412_940.dmp2021-04-21 17:49:35.452 11241100x80000000000000001547085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295140_WINWORD.EXE_3548_4412_939.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295141_WINWORD.EXE_3548_4412_938.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295141_WINWORD.EXE_3548_4412_937.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295142_WINWORD.EXE_3548_4412_936.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295142_WINWORD.EXE_3548_4412_935.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295142_WINWORD.EXE_3548_4412_934.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295143_WINWORD.EXE_3548_4412_933.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295143_WINWORD.EXE_3548_4412_932.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295144_WINWORD.EXE_3548_4412_931.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295144_WINWORD.EXE_3548_4412_930.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295145_WINWORD.EXE_3548_4412_929.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295145_WINWORD.EXE_3548_4412_928.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295145_WINWORD.EXE_3548_4412_927.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295146_WINWORD.EXE_3548_4412_926.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295146_WINWORD.EXE_3548_4412_925.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295147_WINWORD.EXE_3548_4412_924.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295147_WINWORD.EXE_3548_4412_923.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295148_WINWORD.EXE_3548_4412_922.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295148_WINWORD.EXE_3548_4412_921.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295148_WINWORD.EXE_3548_4412_920.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295149_WINWORD.EXE_3548_4412_919.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295149_WINWORD.EXE_3548_4412_918.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295150_WINWORD.EXE_3548_4412_917.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295150_WINWORD.EXE_3548_4412_916.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295151_WINWORD.EXE_3548_4412_915.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295151_WINWORD.EXE_3548_4412_914.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295152_WINWORD.EXE_3548_4412_913.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295152_WINWORD.EXE_3548_4412_912.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295152_WINWORD.EXE_3548_4412_911.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295153_WINWORD.EXE_3548_4412_910.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295153_WINWORD.EXE_3548_4412_909.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295154_WINWORD.EXE_3548_4412_908.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295154_WINWORD.EXE_3548_4412_907.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295155_WINWORD.EXE_3548_4412_906.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295155_WINWORD.EXE_3548_4412_905.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.436{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295156_WINWORD.EXE_3548_4412_904.dmp2021-04-21 17:49:35.436 11241100x80000000000000001547049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295156_WINWORD.EXE_3548_4412_903.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295156_WINWORD.EXE_3548_4412_902.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295157_WINWORD.EXE_3548_4412_901.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295157_WINWORD.EXE_3548_4412_900.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295158_WINWORD.EXE_3548_4412_899.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295158_WINWORD.EXE_3548_4412_898.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295159_WINWORD.EXE_3548_4412_897.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295159_WINWORD.EXE_3548_4412_896.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295159_WINWORD.EXE_3548_4412_895.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295160_WINWORD.EXE_3548_4412_894.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295160_WINWORD.EXE_3548_4412_893.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295161_WINWORD.EXE_3548_4412_892.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295161_WINWORD.EXE_3548_4412_891.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295162_WINWORD.EXE_3548_4412_890.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295162_WINWORD.EXE_3548_4412_889.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295163_WINWORD.EXE_3548_4412_888.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295163_WINWORD.EXE_3548_4412_887.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295163_WINWORD.EXE_3548_4412_886.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295164_WINWORD.EXE_3548_4412_885.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295164_WINWORD.EXE_3548_4412_884.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295165_WINWORD.EXE_3548_4412_883.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295165_WINWORD.EXE_3548_4412_882.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295166_WINWORD.EXE_3548_4412_881.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295166_WINWORD.EXE_3548_4412_880.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295166_WINWORD.EXE_3548_4412_879.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295167_WINWORD.EXE_3548_4412_878.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295167_WINWORD.EXE_3548_4412_877.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295168_WINWORD.EXE_3548_4412_876.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295168_WINWORD.EXE_3548_4412_875.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295169_WINWORD.EXE_3548_4412_874.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295169_WINWORD.EXE_3548_4412_873.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295169_WINWORD.EXE_3548_4412_872.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295170_WINWORD.EXE_3548_4412_871.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295170_WINWORD.EXE_3548_4412_870.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295171_WINWORD.EXE_3548_4412_869.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.421{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295171_WINWORD.EXE_3548_4412_868.dmp2021-04-21 17:49:35.421 11241100x80000000000000001547013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.420{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295172_WINWORD.EXE_3548_4412_867.dmp2021-04-21 17:49:35.420 11241100x80000000000000001547012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.420{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295172_WINWORD.EXE_3548_4412_866.dmp2021-04-21 17:49:35.420 11241100x80000000000000001547011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.419{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295173_WINWORD.EXE_3548_4412_865.dmp2021-04-21 17:49:35.419 11241100x80000000000000001547010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.419{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295173_WINWORD.EXE_3548_4412_864.dmp2021-04-21 17:49:35.419 11241100x80000000000000001547009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.418{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295173_WINWORD.EXE_3548_4412_863.dmp2021-04-21 17:49:35.418 11241100x80000000000000001547008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.418{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295174_WINWORD.EXE_3548_4412_862.dmp2021-04-21 17:49:35.418 11241100x80000000000000001547007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.418{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295174_WINWORD.EXE_3548_4412_861.dmp2021-04-21 17:49:35.417 11241100x80000000000000001547006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.417{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295175_WINWORD.EXE_3548_4412_860.dmp2021-04-21 17:49:35.417 11241100x80000000000000001547005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.417{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295175_WINWORD.EXE_3548_4412_859.dmp2021-04-21 17:49:35.417 11241100x80000000000000001547004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.416{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295176_WINWORD.EXE_3548_4412_858.dmp2021-04-21 17:49:35.416 11241100x80000000000000001547003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.416{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295176_WINWORD.EXE_3548_4412_857.dmp2021-04-21 17:49:35.416 11241100x80000000000000001547002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.415{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295177_WINWORD.EXE_3548_4412_856.dmp2021-04-21 17:49:35.415 11241100x80000000000000001547001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.415{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295177_WINWORD.EXE_3548_4412_855.dmp2021-04-21 17:49:35.415 11241100x80000000000000001547000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.414{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295177_WINWORD.EXE_3548_4412_854.dmp2021-04-21 17:49:35.414 11241100x80000000000000001546999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295178_WINWORD.EXE_3548_4412_853.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295178_WINWORD.EXE_3548_4412_852.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295179_WINWORD.EXE_3548_4412_851.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295179_WINWORD.EXE_3548_4412_850.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295180_WINWORD.EXE_3548_4412_849.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295180_WINWORD.EXE_3548_4412_848.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295181_WINWORD.EXE_3548_4412_847.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295181_WINWORD.EXE_3548_4412_846.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295181_WINWORD.EXE_3548_4412_845.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295182_WINWORD.EXE_3548_4412_844.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295182_WINWORD.EXE_3548_4412_843.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295183_WINWORD.EXE_3548_4412_842.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295183_WINWORD.EXE_3548_4412_841.dmp2021-04-21 17:49:35.399 11241100x80000000000000001546986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295184_WINWORD.EXE_3548_4412_840.dmp2021-04-21 17:49:35.399 10341000x80000000000000001546985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-84C5-607D-E100-00000000BB01}32202520C:\Windows\system32\csrss.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001546984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}35484412C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3c98f|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d457|UNKNOWN(00000200BF36276A) 154100x80000000000000001546983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.407{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\dllhost.exeC:\Users\Administrator\Documents\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Administrator\Desktop\cs_doc1_rundll32.dotm" 11241100x80000000000000001546982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175295186_WINWORD.EXE_3548_4412_839.dmp2021-04-21 17:49:35.399 13241300x80000000000000001546981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.399{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001546980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:35.399{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001546979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.399{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067474Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:36.981{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067473Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:36.981{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067472Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:36.251{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A17A0BA5FF9E96B4AA35BEAD269CC84,SHA256=17144A3D92FD10789C7253F55C60864082BAADE59F492168ED7C901066A50510,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.912{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227 23542300x80000000000000001548508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.912{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B4A17FCE3209D14A13760B7DE351319C,SHA256=40C3654F64FF51A99BA34DE9DF81C66514A9E255444C299650DC4835A87D02A1falsefalse - insufficient disk space 11241100x80000000000000001548507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.912{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227 23542300x80000000000000001548506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.912{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AD308801971211A6360D9ED31C7DC51E,SHA256=AA2F9203167BE2DBE507504DA15CB5B9695DC613D6B8523C27D05769C2FF7291falsefalse - insufficient disk space 11241100x80000000000000001548505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.411{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.411{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=120335E23CDAA89B3FF05958FC542371,SHA256=9C14CD0A0E9BB856819FAFC13AD49903D8C159DC33A1224E2D8FB2C63627268Ffalsefalse - insufficient disk space 11241100x80000000000000001548503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.342{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.342{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=205840ADD0A7941FA2B7BA89AEE3F866,SHA256=2D25750E653E8D6D33F5D05357636D46A3D8ACFA10C57EA4F2830B0F27B45A95falsefalse - insufficient disk space 734700x80000000000000001548501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.342{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=7CAAFE27AECA4ED69CC960438C1B5757,SHA256=725B17A1DC08013337B50D4E0A6E332CC4C30F164383DF2ABBC735001C834F2CtrueMicrosoft WindowsValid 13241300x80000000000000001548500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.326{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastWriteTimeWordBinary Data 13241300x80000000000000001548499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.326{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastSyncTimeWordBinary Data 13241300x80000000000000001548498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 13241300x80000000000000001548496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 10341000x80000000000000001548495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000001548494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000001548493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.326{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001548488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090502\VirtualDesktopBinary Data 12241200x80000000000000001548487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090502 10341000x80000000000000001548486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001548485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.311{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeHKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles\FirstLevelConsentDialogQWORD (0x00000000-0x00090502) 12241200x80000000000000001548484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.311{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeHKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles 13241300x80000000000000001548483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.311{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles\FirstLevelConsentDialogQWORD (0x00000000-0x00090502) 12241200x80000000000000001548482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.311{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles 10341000x80000000000000001548481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.311{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001548477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.295{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\atlthunk.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)atlthunk.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationatlthunk.dllMD5=A0424A3330CB582D9B8713C8B739FBE8,SHA256=F6CD2DD95233A3B3374F99FF817F5E9628402B25333E3E79FB41C2686740D8D4trueMicrosoft WindowsValid 734700x80000000000000001548476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.295{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=6B79A24E4A03FB84ED7AD3CDEE60882E,SHA256=21FDC6DA3E5F2D55238D1801725353A879D5D909456C03DBBD3A7401DDAC464AtrueMicrosoft WindowsValid 734700x80000000000000001548475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.295{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 734700x80000000000000001548474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.295{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\msls31.dll3.10.349.0Microsoft Line Services library fileMicrosoft® Line ServicesMicrosoft CorporationMSLS31.DLLMD5=B2911DEDDF06CA1AB66C810EB98AA503,SHA256=B8FAC47D96B3577104AA20C84E532024E4B8D7A7B222E715E7FBC368151E34D3trueMicrosoft WindowsValid 734700x80000000000000001548473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.295{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\usp10.dll10.0.14393.3321 (rs1_release.191016-1811)Uniscribe Unicode script processorMicrosoft® Windows® Operating SystemMicrosoft CorporationUSP10.DLLMD5=BABC9A4B603F1B79B3184EF2E902EFBD,SHA256=119158E0116F78286FFA4AEE4924B53E98821AA48687132C26DE22D75ECBF200trueMicrosoft WindowsValid 734700x80000000000000001548472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.295{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\riched20.dll5.31.23.1231Rich Text Edit Control, v3.1Microsoft RichEdit Control, version 3.1Microsoft Corporationriched20.dllMD5=8B3765D5135A105F4AD1B2582717B493,SHA256=6F0F9BF748660D218D21183A0B25D93BF5B659EF88B4F47E009480B3A244661FtrueMicrosoft WindowsValid 734700x80000000000000001548471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\duser.dll10.0.14393.0 (rs1_release.160715-1616)Windows DirectUser EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUser.DLLMD5=4A6B9E1DD8DB4FF865318B8CA92CE8D1,SHA256=14C94E22015FEA86566876469B1ECB034BE9991D55CE2C20AB8EF86A1FB1A78CtrueMicrosoft WindowsValid 734700x80000000000000001548470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=F715551044759B3E0D8310D982728D42,SHA256=24ED40B61F6EBA76BDFC858B0EB3FC49C8FEE9CF929CBD1DED3DB515A69FAAD4trueMicrosoft WindowsValid 10341000x80000000000000001548469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001548468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=4A773F12C91C86BEC51979E7C5858548,SHA256=FD21C32FE46607F058240D3B185CAA8E437F76625FEAD979B705E7BA3B53ED31trueMicrosoft WindowsValid 734700x80000000000000001548467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=F715551044759B3E0D8310D982728D42,SHA256=24ED40B61F6EBA76BDFC858B0EB3FC49C8FEE9CF929CBD1DED3DB515A69FAAD4trueMicrosoft WindowsValid 11241100x80000000000000001548466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D072BCFF3BEB50DA63B0B963757F5EF,SHA256=24A314FA067AAFA5E192D2D4586AE66F801A983C01901B17F63A1D0D35A2AE94falsefalse - insufficient disk space 10341000x80000000000000001548464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001548463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.279{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=4A773F12C91C86BEC51979E7C5858548,SHA256=FD21C32FE46607F058240D3B185CAA8E437F76625FEAD979B705E7BA3B53ED31trueMicrosoft WindowsValid 734700x80000000000000001548462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.264{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=F715551044759B3E0D8310D982728D42,SHA256=24ED40B61F6EBA76BDFC858B0EB3FC49C8FEE9CF929CBD1DED3DB515A69FAAD4trueMicrosoft WindowsValid 10341000x80000000000000001548461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.264{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001548460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.264{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=4A773F12C91C86BEC51979E7C5858548,SHA256=FD21C32FE46607F058240D3B185CAA8E437F76625FEAD979B705E7BA3B53ED31trueMicrosoft WindowsValid 734700x80000000000000001548459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.264{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=F715551044759B3E0D8310D982728D42,SHA256=24ED40B61F6EBA76BDFC858B0EB3FC49C8FEE9CF929CBD1DED3DB515A69FAAD4trueMicrosoft WindowsValid 12241200x80000000000000001548458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000001548457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.264{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 12241200x80000000000000001548456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001548454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000001548434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.264{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001548433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.264{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=4A773F12C91C86BEC51979E7C5858548,SHA256=FD21C32FE46607F058240D3B185CAA8E437F76625FEAD979B705E7BA3B53ED31trueMicrosoft WindowsValid 12241200x80000000000000001548432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000001548429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.198{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 12241200x80000000000000001548428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001548427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.264{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.263{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001548403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000001548400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.198{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=12ED40D048D0F5F44D3877936A1B7E8B,SHA256=8E652B0663D0F0C6BFE7102329C9A84FB1E937273E51F8FF0FC3469350AF5C41trueMicrosoft WindowsValid 12241200x80000000000000001548399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x80000000000000001548396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.262{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 12241200x80000000000000001548395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.258{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.258{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001548375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 734700x80000000000000001548367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.257{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\dui70.dll10.0.14393.4169 (rs1_release.210107-1130)Windows DirectUI EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUI70.DLLMD5=E106B5F926250103ED5FCECAAF5F2B50,SHA256=B94CEDC430D22B2BA88BB1520EDF9362850494896F810DB0AC9E552E9BF8C031trueMicrosoft WindowsValid 734700x80000000000000001548366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.194{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=6B79A24E4A03FB84ED7AD3CDEE60882E,SHA256=21FDC6DA3E5F2D55238D1801725353A879D5D909456C03DBBD3A7401DDAC464AtrueMicrosoft WindowsValid 12241200x80000000000000001548365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.256{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.256{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.256{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.256{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000001548351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.125{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 12241200x80000000000000001548350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001548348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.248{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000001548324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.122{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=1A1F35AD47F8EB4BB2203E875C20EDFE,SHA256=21F3B5877315EC221A1F23EA4863A4E987DBFF63D6FCC97C8D59801356413A4BtrueMicrosoft WindowsValid 12241200x80000000000000001548323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.247{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000001548303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.244{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\werui.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Error Reporting UI DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwerui.dllMD5=648905E84F3DF8C6A686BD73548ACDDD,SHA256=470A40456CB2D930B319B9FD938288A66A4CDA66C1DF170F393674CFD0D7660AtrueMicrosoft WindowsValid 10341000x80000000000000001548302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.236{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a3c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\wer.dll+3ef62(wow64)|C:\Windows\System32\wer.dll+3f333(wow64)|C:\Windows\System32\wer.dll+3fb69(wow64)|C:\Windows\System32\wer.dll+202eb(wow64)|C:\Windows\System32\wer.dll+14541(wow64)|C:\Windows\System32\faultrep.dll+fb1c(wow64)|C:\Windows\System32\faultrep.dll+d74c(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 11241100x80000000000000001548301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.236{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\b79a5987-20ab-45b7-8412-ec3e13d502bc2021-04-21 17:49:36.235 11241100x80000000000000001548300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.235{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\bcab31a1-78ae-412a-8c99-ac46a1eb1a742021-04-21 17:49:36.234 11241100x80000000000000001548299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.233{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\20eed146-ae94-4256-8367-bef42b13ee1c2021-04-21 17:49:36.233 10341000x80000000000000001548298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.231{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\wer.dll+32eab(wow64)|C:\Windows\System32\wer.dll+24751(wow64)|C:\Windows\System32\wer.dll+145e9(wow64)|C:\Windows\System32\faultrep.dll+fa00(wow64)|C:\Windows\System32\faultrep.dll+d74c(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x80000000000000001548297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.220{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33fe2f(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33d738(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee5e9(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee664(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee6ed(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+28c8c5(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+29305d(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1e12f4(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+28c4f9(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cb18d(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cb022(wow64) 10341000x80000000000000001548296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.201{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+3404d2(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33c892(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+232f54(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+233565(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+239e56(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cf2f2(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cd856(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cf434(wow64)|C:\Windows\System32\faultrep.dll+14a65(wow64)|C:\Windows\System32\faultrep.dll+e3db(wow64)|C:\Windows\System32\faultrep.dll+f895(wow64)|C:\Windows\System32\faultrep.dll+d74c(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64) 734700x80000000000000001548295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.196{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\DbgModel.dll10.0.14321.1024 (debuggers(dbg).160906-1818)Windows Debugger Data ModelMicrosoft® Windows® Operating SystemMicrosoftDbgModel.DllMD5=55AAAA3C2A11EE0F48BFB10D222C4A7F,SHA256=E756925EC8A21F951325CA6B5F10BC393FEA8217282B11CA9529A953CCEE89A7trueMicrosoft WindowsValid 734700x80000000000000001548294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.192{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\dbgeng.dll10.0.14321.1024 (rs1_release.190305-1856)Windows Symbolic Debugger EngineMicrosoft® Windows® Operating SystemMicrosoftDbgEng.DllMD5=E7B73634B272631F75020C9ECAEEB72F,SHA256=AB151D6AD97FCCD36C5326BAD72DCC2AD42449D5AFDE598AA9C1159C138B9744trueMicrosoft WindowsValid 354300x80000000000000001548293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:33.603{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64998-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001548292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.176{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000001548291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.176{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=83B554800A149999EB4D1C21EA6EC209,SHA256=9CFEACBD8953CEE4EB73589A4FFA926EBF5EEE7CAEA4CE57FD864B4D5EF77744falsefalse - insufficient disk space 11241100x80000000000000001548290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.175{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 12241200x80000000000000001548289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:49:36.152{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\PermissionsCheckTestKey 12241200x80000000000000001548288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.152{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x80000000000000001548287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.152{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 12241200x80000000000000001548286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.152{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile 12241200x80000000000000001548285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.152{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root 13241300x80000000000000001548284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.152{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecordBinary Data 12241200x80000000000000001548283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.152{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug 23542300x80000000000000001548282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.150{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=25B921581CFF75221D254B1118EB46FE,SHA256=6FFFCCA0FE6296077D742F20DA06A10B43FD50B04AAAFD29629C5C442CBD3E2Efalsefalse - insufficient disk space 10341000x80000000000000001548281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.148{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+26bd3(wow64)|C:\Windows\System32\faultrep.dll+19d06(wow64)|C:\Windows\System32\faultrep.dll+19eb5(wow64)|C:\Windows\System32\faultrep.dll+194bb(wow64)|C:\Windows\System32\faultrep.dll+f4b1(wow64)|C:\Windows\System32\faultrep.dll+d74c(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 13241300x80000000000000001548280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.147{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\UsnQWORD (0x00000000-0x00000000) 13241300x80000000000000001548279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.147{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\IsOsComponentDWORD (0x00000001) 13241300x80000000000000001548278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.147{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\LanguageDWORD (0x00000409) 13241300x80000000000000001548277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.147{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\SizeQWORD (0x00000000-0x00004d60) 13241300x80000000000000001548276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\AppxPackageRelativeId(Empty) 13241300x80000000000000001548275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\AppxPackageFullName(Empty) 13241300x80000000000000001548274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\BinProductVersion10.0.14393.0 13241300x80000000000000001548273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\LinkDate07/16/2016 01:44:26 13241300x80000000000000001548272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\ProductVersion10.0.14393.0 13241300x80000000000000001548271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\ProductNamemicrosoft® windows® operating system 13241300x80000000000000001548270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\BinaryTypepe32_i386 13241300x80000000000000001548269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\BinFileVersion10.0.14393.0 13241300x80000000000000001548268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\Version10.0.14393.0 (rs1_release.160715-1616) 13241300x80000000000000001548267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\Publishermicrosoft corporation 13241300x80000000000000001548266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\OriginalFileNamedllhost.exe 13241300x80000000000000001548265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\Namedllhost.exe 13241300x80000000000000001548264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\LongPathHashdllhost.exe|79ab8ee61fde52a4 13241300x80000000000000001548263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\LowerCaseLongPathc:\windows\syswow64\dllhost.exe 13241300x80000000000000001548262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\FileId0000a39ce2eabf6c9493effd3fec1226061cb1b086e6 13241300x80000000000000001548261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4\ProgramId0000f519feec486de87ed73cb92d3cac802400000000 12241200x80000000000000001548260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\dllhost.exe|79ab8ee61fde52a4 924900x80000000000000001548259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\Device\Harddisk0\DR0 924900x80000000000000001548258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.146{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\Device\HarddiskVolume1 734700x80000000000000001548257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.145{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=EFD0BE8FD1FF4E6D9A2112549F00C298,SHA256=FBC2001A38F051603972763B0CBAE114671C68A5FFB99AB013A0E1055C430AB6trueMicrosoft WindowsValid 734700x80000000000000001548256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.143{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\sfc_os.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc_os.dllMD5=94C93F32B21EB2DA6AFF2C264B17E623,SHA256=4ABE629C6A2A44F35F205709FB004837871D6CD4F3C21F2F77432B2F98DAFC77trueMicrosoft WindowsValid 734700x80000000000000001548255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.143{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=0F1E9D98CC524190E9B045908E6BC1F6,SHA256=252B3BA71F9452011FA60B6C7655DE65C93EE02754F6B7AF08CBBAAE844CDEEBtrueMicrosoft WindowsValid 12241200x80000000000000001548254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\PermissionsCheckTestKey 12241200x80000000000000001548253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x80000000000000001548252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 12241200x80000000000000001548251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile 12241200x80000000000000001548250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root 12241200x80000000000000001548249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\PermissionsCheckTestKey 12241200x80000000000000001548248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x80000000000000001548247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:36.142{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 734700x80000000000000001548246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.141{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 12241200x80000000000000001548245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.140{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root\InventoryApplicationFile 12241200x80000000000000001548244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.139{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{9610c2f6-162a-0dbc-6303-90ec63d1db10}\Root 734700x80000000000000001548243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.128{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=D72267FB5D321279DE909DB118CDEEFE,SHA256=D8386DCF2ACF3D48A2C95CCF6C3A9505E1CA99FF803027D76068596A34210FAEtrueMicrosoft WindowsValid 734700x80000000000000001548242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.126{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000001548241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.126{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=4803B5E62FA1809BBED6F7E987942ACB,SHA256=D7D53A4FEB2016307A812A04964CEEC5E211A676A303B41EA16EAFD3AA7C3B72trueMicrosoft WindowsValid 734700x80000000000000001548240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.126{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000001548239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.125{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x80000000000000001548238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.125{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1112AB17E3ABDFF5F20CB2F465A2E117,SHA256=C47039A4DF6C685317C6539F205A46350DB055342704F1957D1FB0A1278AC076trueMicrosoft WindowsValid 12241200x80000000000000001548237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:36.123{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000001548236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.000{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:36.000{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF6A034286D1F1298B726A1B12DCD786,SHA256=54D77D7EA6DE5B27363D27CB116C30F28C9CF35047603AD6C220984222743322falsefalse - insufficient disk space 10341000x80000000000000001067480Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:37.981{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067479Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:37.981{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067478Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:32.727{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32512-false10.0.1.12-8000- 23542300x80000000000000001067477Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:37.256{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC370295F2D4C221DBE53687584E991,SHA256=D86F0B05AE1A826CD21B49F9585B1AF27D294CE4CAA2C375F2114D5DD4728D3C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001548571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:37.930{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090502\VirtualDesktopBinary Data 12241200x80000000000000001548570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.930{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090502 13241300x80000000000000001548569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:37.883{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001548568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.883{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000001548567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000001548566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe 534500x80000000000000001548565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}7088C:\Windows\SysWOW64\WerFault.exe 10341000x80000000000000001548564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001548555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.883{21761711-65AF-6080-525E-00000000BB01}70885096C:\Windows\SysWOW64\WerFault.exe{21761711-65AF-6080-4F5E-00000000BB01}3452C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 12241200x80000000000000001548554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:49:37.883{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000090502 10341000x80000000000000001548553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.868{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.868{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001548551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:49:37.166{21761711-83AE-607D-1000-00000000BB01}960\ProtectedPrefix\LocalService\FTHPIPEC:\Windows\system32\svchost.exe 12241200x80000000000000001548550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001548549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001548548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 13241300x80000000000000001548547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:37.166{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\FTH\CheckPointTimeDWORD (0x0d2d152d) 734700x80000000000000001548546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.165{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\System32\svchost.exeC:\Windows\System32\fthsvc.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft Windows Fault Tolerant Heap Diagnostic ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporationfthsvc.dllMD5=899E60FF3E315B4F05F591551A134835,SHA256=5F26E8E42740C9D72F71752F66D660FB3F0D52D532BAFE85310B51D377BA6081trueMicrosoft WindowsValid 12241200x80000000000000001548545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001548543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001548529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001548528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001548527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001548526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000001548525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.166{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\System32\svchost.exeC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValid 12241200x80000000000000001548524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001548523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001548522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.166{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\System32\svchost.exeC:\Windows\System32\wer.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=D9715C34200FA21F6356CD5C56FE343C,SHA256=E7541EB9D78312F1F72D8D83A8BB2B26FF3F02F60129DCF7F6759EC7E183C84EtrueMicrosoft WindowsValid 734700x80000000000000001548521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.166{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\System32\svchost.exeC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1trueMicrosoft WindowsValid 12241200x80000000000000001548520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:37.166{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001548519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.164{21761711-83AE-607D-1200-00000000BB01}304C:\Windows\System32\svchost.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x80000000000000001548518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.163{21761711-83AE-607D-1200-00000000BB01}304C:\Windows\System32\svchost.exeC:\Windows\System32\pcacli.dll10.0.14393.0 (rs1_release.160715-1616)Program Compatibility Assistant Client ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=012B8825E588F74439D55115ED1FE5AD,SHA256=D646D30D2538E47FEFB9C1D5B323476B2701822FF6BCC91155C40BAA6710975EtrueMicrosoft WindowsValid 734700x80000000000000001548517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.163{21761711-83AE-607D-1200-00000000BB01}304C:\Windows\System32\svchost.exeC:\Windows\System32\pcadm.dll10.0.14393.4350 (rs1_release.210407-2154)Program Compatibility Assistant Diagnostic ModuleMicrosoft® Windows® Operating SystemMicrosoft Corporation-MD5=938A788B0BA2B57AFA75F56346138A37,SHA256=8C2E8E8D2C81DCC2FB08779A413436634809791FF1CF867838996664B7899541trueMicrosoft WindowsValid 734700x80000000000000001548516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.161{21761711-83AE-607D-1000-00000000BB01}960C:\Windows\System32\svchost.exeC:\Windows\System32\wdi.dll10.0.14393.0 (rs1_release.160715-1616)Windows Diagnostic InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationwdi.dllMD5=E7A7E8803E66B7CCED95D327A4DBC135,SHA256=401ECD953D4014A95C9022822D9ACEC1A68C917281DBA2365503A473FC6D9507trueMicrosoft WindowsValid 734700x80000000000000001548515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.161{21761711-83AE-607D-1200-00000000BB01}304C:\Windows\System32\svchost.exeC:\Windows\System32\wdi.dll10.0.14393.0 (rs1_release.160715-1616)Windows Diagnostic InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationwdi.dllMD5=E7A7E8803E66B7CCED95D327A4DBC135,SHA256=401ECD953D4014A95C9022822D9ACEC1A68C917281DBA2365503A473FC6D9507trueMicrosoft WindowsValid 10341000x80000000000000001548514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.160{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.160{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.160{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-83AD-607D-0A00-00000000BB01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001548511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.060{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:37.060{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0775927E17D361FA7359ECCEB985063,SHA256=5C475D25FF495CF466826AC13F0DC0C5783F9B8067E122AFAB701193980EF3F3falsefalse - insufficient disk space 23542300x80000000000000001067476Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:37.081{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DD3E45E3DA74C8269FDE3C1E3936D4C,SHA256=59E9A8460364B17D3ECA0F517BAFF924DDD6B26FCC5F74175073404244112CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067475Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:37.080{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4CCDD241922368766248C7268444BA2,SHA256=A89FE48D4EB5F811BC533053A51492C0B7466FCA18AD3AC197BD0B6B3CC4B2BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067483Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:38.982{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067482Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:38.982{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067481Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:38.260{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F184DFE99A8C4735FF67D56B6B30D2,SHA256=CF15BC6D5A248303F0882BA2FC23C15F879F54ADDEB125610C4B8C56E927489D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:38.886{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:38.886{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFDDBC6C3A6AC88D291947B7744044D7,SHA256=EB0F53B3CAAD95F6935A815C2E59B4921E83D016390317DBDE549E6FE1C29DBDfalsefalse - insufficient disk space 11241100x80000000000000001548576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:38.167{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227 23542300x80000000000000001548575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:38.167{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B4A17FCE3209D14A13760B7DE351319C,SHA256=40C3654F64FF51A99BA34DE9DF81C66514A9E255444C299650DC4835A87D02A1falsefalse - insufficient disk space 11241100x80000000000000001548574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:38.163{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:38.163{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3C00049BF1DDDA8D287F709C30BFB4,SHA256=98222CF94402802664479CC035F66F71A0179A1D8D1C76F21C1B182B4BA7D6D4falsefalse - insufficient disk space 354300x80000000000000001548572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:35.382{21761711-65AF-6080-4F5E-00000000BB01}3452<unknown process>WIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local64999-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001067486Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:39.982{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067485Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:39.982{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067484Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:39.272{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C319E4016331D551F583FE33ECC9EE7,SHA256=48E507D14AB1351B1001DF08D6B1253152DFF1D571A611F1F17DB8FEE5DF316B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:39.169{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:39.169{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD0EAEC2AC20E45A63E8E24C6E985E1,SHA256=7B331FC969FAB3D9A80B0922CC07343AA85C7C66415ACC0CFBD4AA3BA7AFBB3Bfalsefalse - insufficient disk space 10341000x80000000000000001067489Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:40.983{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067488Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:40.983{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067487Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:40.274{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA17BF144B9F0D04F7E5A3290000C05D,SHA256=6758A68808351D4E6C57B78F950E5ECE918E7FD898E14E5E6285C8671AA132F8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001548586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:40.890{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:40.890{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 11241100x80000000000000001548584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:40.189{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:40.189{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B82F3767DE109F5E5592E119341548,SHA256=29A6145F34340AB91CAF73185506A503540E6A0310E7FE4C0C07CF0C1A3E3227falsefalse - insufficient disk space 11241100x80000000000000001548582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:40.069{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:40.068{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=402FADEB178219B9703357C2E006B637,SHA256=F6C6D5775A8434092FCC2BB51078CFC379B48A039B986D2E1C9EC17AB3DF1688falsefalse - insufficient disk space 11241100x80000000000000001548589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:41.254{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:41.254{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F1B9D9DAD84C359E118A311978CB75,SHA256=E3CB6B34286C240F3C777047A1369758D85A29F677B2836644DFA67E787AB2E3falsefalse - insufficient disk space 10341000x80000000000000001067492Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:41.983{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067491Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:41.983{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067490Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:41.283{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE9DD070687B7C2963EAD63B8959037,SHA256=CBF6F4953CAE407A713B6983BF7205F838D6F86A35C743E12F848C87D99BAC3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001548587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:38.618{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65000-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001548591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:42.294{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:42.294{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4273D5B7B55BD786535B685A4925D912,SHA256=3EBE733276948426DB0C50E07CC745D0D88F026599FFBFF4716EB101EB4A3759falsefalse - insufficient disk space 10341000x80000000000000001067509Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.983{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067508Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.983{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067507Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:37.872{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32513-false10.0.1.12-8000- 17141700x80000000000000001067506Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-CreatePipe2021-04-21 17:49:42.881{761B69BB-65B6-6080-265D-00000000BA01}2304\MSSE-6836-serverC:\Users\Administrator\Desktop\64_dllhost.exe 10341000x80000000000000001067505Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.878{761B69BB-818C-607D-1200-00000000BA01}6125508C:\Windows\System32\svchost.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067504Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.877{761B69BB-818C-607D-1200-00000000BA01}6126156C:\Windows\System32\svchost.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067503Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.877{761B69BB-818C-607D-1200-00000000BA01}6126156C:\Windows\System32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067502Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.877{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067501Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.876{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067500Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.876{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067499Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.876{761B69BB-84CF-607D-F002-00000000BA01}43804688C:\Windows\system32\csrss.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067498Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.876{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067497Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.876{761B69BB-84D3-607D-0403-00000000BA01}3727156C:\Windows\Explorer.EXE{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+18d18c|C:\Windows\System32\SHELL32.dll+18cee3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067496Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.875{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe-----"C:\Users\Administrator\Desktop\64_dllhost.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{761B69BB-84D1-607D-2C9F-1B0000000000}0x1b9f2c2HighMD5=F833C142FBA7CE8E89C5510363A43052,SHA256=051764E0F16B8BC8ADF41F59B2A4214EA482E5AEC023B44FF91784670524CE5C,IMPHASH=17B461A082950FC6332228572138B80C{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001067495Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.300{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7995D3DA2E4D62B7B933570BEADA34B3,SHA256=90809716FD1E315490382BCBF14CD98BDAF94DE40A4B8791E57BE8A11BE5F3B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067494Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.209{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AB50D3C4B5B3809CE672A4EEE1B00D6,SHA256=9434590EEDC9203958677CE2F587310F9DFC8B7034A5AAF1ECFBBD1CA61695BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067493Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:42.208{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DD3E45E3DA74C8269FDE3C1E3936D4C,SHA256=59E9A8460364B17D3ECA0F517BAFF924DDD6B26FCC5F74175073404244112CD2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:43.343{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:43.343{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9F4FFD7987197852E9A58DA53AAF42,SHA256=D9821DEE9864C43419421DD9C847D00604437545599D8ED545D9DC3841A83E33falsefalse - insufficient disk space 10341000x80000000000000001067517Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.984{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067516Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.984{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067515Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.928{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067514Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.912{761B69BB-818A-607D-0B00-00000000BA01}6324224C:\Windows\system32\lsass.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067513Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.912{761B69BB-818A-607D-0B00-00000000BA01}6324224C:\Windows\system32\lsass.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001067512Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-ConnectPipe2021-04-21 17:49:43.905{761B69BB-65B6-6080-265D-00000000BA01}2304\MSSE-6836-serverC:\Users\Administrator\Desktop\64_dllhost.exe 23542300x80000000000000001067511Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.892{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AB50D3C4B5B3809CE672A4EEE1B00D6,SHA256=9434590EEDC9203958677CE2F587310F9DFC8B7034A5AAF1ECFBBD1CA61695BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067510Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.312{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6238D72BF03DD1074FFAF582963785,SHA256=EF262ED90D95E1681C39D55B0AF15E7030367C05FE82FA34F3EBCAF99BDF3B1E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:44.345{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:44.345{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4AC1CFCAB68BF136AD2D49F433C6727,SHA256=3CC17A00CA3E3C92E844EB52DC53B3E8212D4F0C45D91B933F40E73A2C49E28Cfalsefalse - insufficient disk space 10341000x80000000000000001067521Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:44.984{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067520Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:44.984{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067519Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:44.950{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A0699525D5C7E3D87F62E5EE28F24FD,SHA256=0B26C8A2DB8A28C7CAF5789BBEF30E81B2B4D79C7053C4CCA1977BC254D98A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067518Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:44.317{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0924A72ABF9909E2D97304B3A4FC278,SHA256=1632E50C0626664D44A617FB1E24B069EA7DA866D5E8887EF9FC98CC5470AF25,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:45.363{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:45.363{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB8C467B30E5E296F54DD5229956B4D4,SHA256=8939AA88DA9B9F1F7B2B983F83033877888456599D79889FC8A7A6118E1363D8falsefalse - insufficient disk space 10341000x80000000000000001067529Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:45.985{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067528Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:45.985{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067527Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:40.604{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32514-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001067526Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:45.959{761B69BB-819C-607D-2700-00000000BA01}28162336C:\Windows\sysmon64.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067525Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:45.959{761B69BB-819C-607D-2700-00000000BA01}28162336C:\Windows\sysmon64.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000001067524Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:40.590{761B69BB-65B6-6080-265D-00000000BA01}2304win-dc-9820169.254.79.158;10.0.1.14;C:\Users\Administrator\Desktop\64_dllhost.exe 10341000x80000000000000001067523Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:45.930{761B69BB-819C-607D-2700-00000000BA01}28162468C:\Windows\sysmon64.exe{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067522Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:45.331{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A29B1CEAA3C700228A3F0E9DC8DD87,SHA256=534F68BB4A4FC1E3BE48C153A6E43CECF9ECCD78F3965F8F426BC001CAC7A21B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:45.132{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:45.132{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FA638764D36F291A94B0CAC55112654,SHA256=0A6E75A562BE8F06EAC1C2DCF1B93B8DD3FA76B8A28BC05AAAB0675B301DB52Afalsefalse - insufficient disk space 11241100x80000000000000001548597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:45.132{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:45.132{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=726931221DFC7F4F3E3BD102BEC03DE6,SHA256=D35B88C0D920C496154854860CB817979E2B5BF474A3267626B288474BFF454Cfalsefalse - insufficient disk space 11241100x80000000000000001548604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:46.535{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:46.535{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC2D66E920CCC4FE9F2B72EE5269C48,SHA256=C7E4DF45918448F7B3FCE184532CEDF99813468882A77388883B810EAF90F619falsefalse - insufficient disk space 10341000x80000000000000001067532Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:46.985{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067531Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:46.985{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067530Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:46.336{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9BEABBAD35239BC2A90FF7E24B2F14,SHA256=8B6D4AE8528D1377A2F59D5808E9C1704F145AA1F17118C89EA75328D2211019,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001548602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:43.667{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65001-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x80000000000000001548618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:47.807{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000027047C\VirtualDesktopBinary Data 12241200x80000000000000001548617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:47.807{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000027047C 13241300x80000000000000001548616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:47.807{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A0502\VirtualDesktopBinary Data 12241200x80000000000000001548615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:47.807{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A0502 13241300x80000000000000001548614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:47.769{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:47.769{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001548612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:47.769{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:47.769{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001548610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:47.769{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001548609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:47.753{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:47.753{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001548607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:47.753{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001548606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:47.553{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:47.553{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3787FF7438AE4515B8A9342B4B83C76,SHA256=DB56EDD4C1E02A18C5B7C46AB5FADCD1750AB099B03BE0432AD783191D75695Bfalsefalse - insufficient disk space 10341000x80000000000000001067535Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:47.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067534Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:47.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067533Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:47.339{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288C9A997B45C6176ACADFD14C43BB88,SHA256=364865006C62E67030A846D7D8A4FFB82D8FD9132A21B9668D0A8C838FDC895D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:48.571{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:48.571{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D712A55F3FF7D6BCECA4FDC4FA6AAC49,SHA256=21A874626F0ADD4E3AA378A8A20B9E5C8505603DA4259F1D92D3600C1FC3C422falsefalse - insufficient disk space 10341000x80000000000000001067541Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:48.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067540Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:48.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067539Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:43.764{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32515-false10.0.1.12-8000- 23542300x80000000000000001067538Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:48.958{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=46D4C91E088863B290350596C68C4651,SHA256=3573BE83318CF6BDB44B9A622FE15435066EC8D761D1615B1DF1C32654EA3FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067537Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:48.342{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62722B5DC4AD7A6293B028967E919000,SHA256=AD78AB7DBB97C88E0B96B0B980BABFEE615E3A24E0DCA39328D2AA2BC27CB65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067536Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:48.110{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97B2706C756FF44FC87C68BA2910C878,SHA256=C0F507E8CDE883870F449D4A84AA48E4ED336994297E45B359A436571E076103,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:49.573{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:49.573{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9A33969617C85C2C86F29E1EE0252A,SHA256=63CF444B0D3B1ED51F7726A95C49A3A6D5E1A28183330B50E1482CAE82A72704falsefalse - insufficient disk space 10341000x80000000000000001067544Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:49.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067543Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:49.986{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067542Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:49.346{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD0DB138ED98CFEEBECF3E1AD92B358,SHA256=01D99BE5C8B5D00E33D75619852B82415F3BA8592C3C18F93D97733DA594D161,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:50.613{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:50.613{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7306999BDB4893DE3CC30C9B08B3BF68,SHA256=1D6B85EB49995D008A8DC64FD2E38CC3DD32CF887B8E597BF3CEFA9F1ACCFB05falsefalse - insufficient disk space 10341000x80000000000000001067547Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:50.987{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067546Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:50.987{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067545Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:50.351{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EB124605DA214FAD9D8E0EF2976FE2,SHA256=38DAB379FE52970F0FAAF434205BA0DAB75A9A53A371DFB9D9E583A181809793,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:50.143{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:50.143{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC857BE6D9474FFFB3BB824A3763F155,SHA256=37678E78803005D8C0664EF5D45C0CBCD364891F417DC60E69E46BFDA0A2238Cfalsefalse - insufficient disk space 11241100x80000000000000001548624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:50.143{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:50.143{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FA638764D36F291A94B0CAC55112654,SHA256=0A6E75A562BE8F06EAC1C2DCF1B93B8DD3FA76B8A28BC05AAAB0675B301DB52Afalsefalse - insufficient disk space 11241100x80000000000000001548639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:51.716{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:51.716{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFA96A7B9EEA2E501CCAC23739B20DD,SHA256=0A00F0E53FC7938BD4FF77FAB8BA462E2A300044C23A9F604BF9FE72CE3DA0EDfalsefalse - insufficient disk space 10341000x80000000000000001067551Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:51.987{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067550Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:51.987{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067549Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:51.705{761B69BB-818C-607D-0D00-00000000BA01}9046912C:\Windows\system32\svchost.exe{761B69BB-63E3-6080-E95C-00000000BA01}6292C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067548Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:51.361{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6049C105AD6D1A93FD039B1E2358718,SHA256=E9A8B9DD40E9305B15985DCA88AB5E5042B3D263AB5928F982E4DAB7448ED50F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001548637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:51.362{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000027047C\VirtualDesktopBinary Data 12241200x80000000000000001548636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:51.362{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000027047C 13241300x80000000000000001548635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:51.315{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:51.315{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001548633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:51.315{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001548632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:51.299{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:51.299{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001548630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:51.299{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001548629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:48.695{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65002-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001548644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:52.734{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:52.734{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA16AD48089C1410007DB6DCAC218F27,SHA256=42D942BB2930477F6F2CFBD65AB4A59636214664CA04CADC08BD411811C966AEfalsefalse - insufficient disk space 10341000x80000000000000001067554Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:52.988{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067553Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:52.988{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067552Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:52.369{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F730592E5792468363E28546ECDE6EAF,SHA256=BC193FE90579830C66A581E9B1233327FA5738CEEA384CB788A6D054FC270981,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001548642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:52.681{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:52.681{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001548640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:52.681{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001548651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:53.922{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:53.922{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE287760F2E56525770F82D0542C0DC,SHA256=4B17BA62D9CF43DC8AD12E761469E4EA0653A33877407F2A04F59B14BAC5C1CEfalsefalse - insufficient disk space 10341000x80000000000000001067560Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:53.988{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067559Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:53.988{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067558Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:48.898{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32516-false10.0.1.12-8000- 23542300x80000000000000001067557Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:53.376{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4EDEE60B18D7A316123A4A9B16525A,SHA256=B3794BAB7EEC31A77CE1443B518A91199E2E97901E40D04AF49D7DA822DFC5FF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001548649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:53.668{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D051E\VirtualDesktopBinary Data 12241200x80000000000000001548648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:53.668{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000D051E 13241300x80000000000000001548647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:53.601{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:53.601{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001548645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:53.601{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067556Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:53.234{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB892FB34E6FF1C1FCA6A7312B70F196,SHA256=6517E9F46C2034721812D4C2CDD5DFFE97D692C2D7985D63CF9C55D42FFC8BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067555Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:53.233{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C5DBC9DB85B52A44DE8AD1B4F531372,SHA256=3C9C686BC043B7E38C0251B18B84009ABB8B2DA3E7F43C46CF9B954AB634F2B2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001548653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:54.924{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001548652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:54.924{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446A6416D0B4F0B9F9F67BD3A4AF5A6E,SHA256=0632B2C4B39563D57DFC29FFD83EB6CD107E1527227EF0152E078D20AED7E52Bfalsefalse - insufficient disk space 10341000x80000000000000001067563Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:54.988{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067562Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:54.988{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067561Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:54.382{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF6DBC23C54FDB46E20FF5A5B291F24,SHA256=EB4F65E0D62421ACAEE97D4D3749304061B85151E7EA9E4B78E0D7D6F629CCC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067567Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:55.989{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067566Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:55.989{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067565Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:55.873{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB892FB34E6FF1C1FCA6A7312B70F196,SHA256=6517E9F46C2034721812D4C2CDD5DFFE97D692C2D7985D63CF9C55D42FFC8BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067564Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:55.386{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89499CDB9ECD18CCDA4DAB02A6907DCC,SHA256=3772F0B2673FA3153F380D3036CF2F0E0AAF3123DD57EBD73F393F9B3C78299D,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001549575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x80000000000000001549574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x80000000000000001549573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 734700x80000000000000001549572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=A9577E37C01F2AC118012CB0F810CB01,SHA256=0BC1D3056283C7579FFCF913B55357EBB0AEB3E8E39E8C053B654228EA224EA9trueMicrosoft WindowsValid 13241300x80000000000000001549571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x80000000000000001549570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x80000000000000001549569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 13241300x80000000000000001549568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000001549567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x80000000000000001549566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000001549565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x80000000000000001549564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x80000000000000001549563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4225 (rs1_release.210127-1811)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=6A4EC7FCDF21570DCB1AAEA8BCE6C68B,SHA256=11DF4EEFA9F2EAB3440D073442C14884AA4145360F1ADB63B220431E5D01BB2CtrueMicrosoft WindowsValid 12241200x80000000000000001549562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x80000000000000001549561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6trueMicrosoft WindowsValid 10341000x80000000000000001549560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001549559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x80000000000000001549558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000001549557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x80000000000000001549556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x80000000000000001549555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x80000000000000001549554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x80000000000000001549553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x80000000000000001549552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171trueMicrosoft WindowsValid 734700x80000000000000001549551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839trueMicrosoft WindowsValid 12241200x80000000000000001549550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x80000000000000001549549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4trueMicrosoft WindowsValid 734700x80000000000000001549548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=5956013FD503AA525624271D79C23A41,SHA256=F678669E7BDEAA35648FD330F23627EA15B2D79D263610F46FB1B3881AEDBF74trueMicrosoft WindowsValid 734700x80000000000000001549547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0trueMicrosoft WindowsValid 734700x80000000000000001549546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FBtrueMicrosoft WindowsValid 734700x80000000000000001549545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2FtrueMicrosoft WindowsValid 734700x80000000000000001549544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000001549543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=4803B5E62FA1809BBED6F7E987942ACB,SHA256=D7D53A4FEB2016307A812A04964CEEC5E211A676A303B41EA16EAFD3AA7C3B72trueMicrosoft WindowsValid 734700x80000000000000001549542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.973{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000001549541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 734700x80000000000000001549540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 734700x80000000000000001549539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x80000000000000001549538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1112AB17E3ABDFF5F20CB2F465A2E117,SHA256=C47039A4DF6C685317C6539F205A46350DB055342704F1957D1FB0A1278AC076trueMicrosoft WindowsValid 734700x80000000000000001549537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000001549536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=CDD32AC585A458B6B2BC777FACF83BA4,SHA256=6A6D1362633319BA3E2D389A70827D0B5802C5EA9DD5CA723AEA6DBF65713426trueMicrosoft WindowsValid 734700x80000000000000001549535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000001549534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000001549533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 10341000x80000000000000001549532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001549531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001549530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000001549529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.2515 (rs1_release_1.180830-1044)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0A509BFB5A32121F89325D493794CA83,SHA256=CB89991C328399A0AD5A18C38DD69FA77922A7977D9F4E7193C59AC03AF614B2trueMicrosoft WindowsValid 734700x80000000000000001549528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=D72267FB5D321279DE909DB118CDEEFE,SHA256=D8386DCF2ACF3D48A2C95CCF6C3A9505E1CA99FF803027D76068596A34210FAEtrueMicrosoft WindowsValid 734700x80000000000000001549527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 734700x80000000000000001549526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\wininet.dll11.00.14393.4283 (rs1_release.210303-1802)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=253114E61AAAE4A12B73BAA54FBAAA62,SHA256=738E566E19705CA3190F448EDA108FAB2324C6A6E9DAAA12024777C9C5E6BF0EtrueMicrosoft WindowsValid 734700x80000000000000001549525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000001549524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=7B019DFD62509B244C4A11809F595C07,SHA256=2E879BBDC7C215041617FC599FCBA8C474F99E27B8333EA4DCA4854FE738F22DtrueMicrosoft WindowsValid 734700x80000000000000001549523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000001549522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000001549521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BE003247800053860D5C85D2BCEB0744,SHA256=D687D105741BDEB1BCEE18F3692AE688C52E85F1BBA745315FA2FB7F953DCE55trueMicrosoft WindowsValid 734700x80000000000000001549520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=46729D62C2C59533BF7F18EC62EA1066,SHA256=F890DA6B91DCCEF82188724339EB4469B27AA19183938F4269C8DE3FEA6C12F0trueMicrosoft WindowsValid 734700x80000000000000001549519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000001549518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000001549517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000001549516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000001549515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001549514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001549513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000001549512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001549511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000001549510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000001549509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=57015A39A73789DC7171F4F6B211AC32,SHA256=3ED6D5A7095A141DCF234926EE0274FDA627C2829607DCE0F7604B7C683067E9trueMicrosoft WindowsValid 734700x80000000000000001549508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001549507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8trueMicrosoft WindowsValid 824800x80000000000000001549506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.958{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe41880x00000000005C0000-- 11241100x80000000000000001549505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274634_WINWORD.EXE_3548_4412_2514.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274635_WINWORD.EXE_3548_4412_2513.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274635_WINWORD.EXE_3548_4412_2512.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274636_WINWORD.EXE_3548_4412_2511.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274636_WINWORD.EXE_3548_4412_2510.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274637_WINWORD.EXE_3548_4412_2509.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274637_WINWORD.EXE_3548_4412_2508.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274638_WINWORD.EXE_3548_4412_2507.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274638_WINWORD.EXE_3548_4412_2506.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274641_WINWORD.EXE_3548_4412_2505.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274641_WINWORD.EXE_3548_4412_2504.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274642_WINWORD.EXE_3548_4412_2503.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274642_WINWORD.EXE_3548_4412_2502.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274643_WINWORD.EXE_3548_4412_2501.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274643_WINWORD.EXE_3548_4412_2500.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274644_WINWORD.EXE_3548_4412_2499.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274644_WINWORD.EXE_3548_4412_2498.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274645_WINWORD.EXE_3548_4412_2497.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274645_WINWORD.EXE_3548_4412_2496.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274646_WINWORD.EXE_3548_4412_2495.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274646_WINWORD.EXE_3548_4412_2494.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274646_WINWORD.EXE_3548_4412_2493.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274647_WINWORD.EXE_3548_4412_2492.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274647_WINWORD.EXE_3548_4412_2491.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274648_WINWORD.EXE_3548_4412_2490.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274648_WINWORD.EXE_3548_4412_2489.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274649_WINWORD.EXE_3548_4412_2488.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274649_WINWORD.EXE_3548_4412_2487.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.942{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274650_WINWORD.EXE_3548_4412_2486.dmp2021-04-21 17:49:55.942 11241100x80000000000000001549476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274650_WINWORD.EXE_3548_4412_2485.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274650_WINWORD.EXE_3548_4412_2484.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274651_WINWORD.EXE_3548_4412_2483.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274651_WINWORD.EXE_3548_4412_2482.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274652_WINWORD.EXE_3548_4412_2481.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274652_WINWORD.EXE_3548_4412_2480.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274653_WINWORD.EXE_3548_4412_2479.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274653_WINWORD.EXE_3548_4412_2478.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274654_WINWORD.EXE_3548_4412_2477.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274654_WINWORD.EXE_3548_4412_2476.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274655_WINWORD.EXE_3548_4412_2475.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274655_WINWORD.EXE_3548_4412_2474.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274656_WINWORD.EXE_3548_4412_2473.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274656_WINWORD.EXE_3548_4412_2472.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274656_WINWORD.EXE_3548_4412_2471.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274657_WINWORD.EXE_3548_4412_2470.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274657_WINWORD.EXE_3548_4412_2469.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274658_WINWORD.EXE_3548_4412_2468.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274658_WINWORD.EXE_3548_4412_2467.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274659_WINWORD.EXE_3548_4412_2466.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274659_WINWORD.EXE_3548_4412_2465.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274660_WINWORD.EXE_3548_4412_2464.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274660_WINWORD.EXE_3548_4412_2463.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274661_WINWORD.EXE_3548_4412_2462.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274661_WINWORD.EXE_3548_4412_2461.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274661_WINWORD.EXE_3548_4412_2460.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274662_WINWORD.EXE_3548_4412_2459.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274662_WINWORD.EXE_3548_4412_2458.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274663_WINWORD.EXE_3548_4412_2457.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274663_WINWORD.EXE_3548_4412_2456.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274664_WINWORD.EXE_3548_4412_2455.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274664_WINWORD.EXE_3548_4412_2454.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274665_WINWORD.EXE_3548_4412_2453.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274665_WINWORD.EXE_3548_4412_2452.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.927{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274665_WINWORD.EXE_3548_4412_2451.dmp2021-04-21 17:49:55.927 11241100x80000000000000001549441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274666_WINWORD.EXE_3548_4412_2450.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274666_WINWORD.EXE_3548_4412_2449.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274667_WINWORD.EXE_3548_4412_2448.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274667_WINWORD.EXE_3548_4412_2447.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274668_WINWORD.EXE_3548_4412_2446.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274668_WINWORD.EXE_3548_4412_2445.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274669_WINWORD.EXE_3548_4412_2444.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274669_WINWORD.EXE_3548_4412_2443.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274670_WINWORD.EXE_3548_4412_2442.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274670_WINWORD.EXE_3548_4412_2441.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274670_WINWORD.EXE_3548_4412_2440.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274671_WINWORD.EXE_3548_4412_2439.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274671_WINWORD.EXE_3548_4412_2438.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274672_WINWORD.EXE_3548_4412_2437.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274672_WINWORD.EXE_3548_4412_2436.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274673_WINWORD.EXE_3548_4412_2435.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274673_WINWORD.EXE_3548_4412_2434.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274674_WINWORD.EXE_3548_4412_2433.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274674_WINWORD.EXE_3548_4412_2432.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274674_WINWORD.EXE_3548_4412_2431.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274675_WINWORD.EXE_3548_4412_2430.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274675_WINWORD.EXE_3548_4412_2429.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274676_WINWORD.EXE_3548_4412_2428.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274676_WINWORD.EXE_3548_4412_2427.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274677_WINWORD.EXE_3548_4412_2426.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274677_WINWORD.EXE_3548_4412_2425.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274678_WINWORD.EXE_3548_4412_2424.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274678_WINWORD.EXE_3548_4412_2423.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274679_WINWORD.EXE_3548_4412_2422.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274679_WINWORD.EXE_3548_4412_2421.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274679_WINWORD.EXE_3548_4412_2420.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274680_WINWORD.EXE_3548_4412_2419.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274680_WINWORD.EXE_3548_4412_2418.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274681_WINWORD.EXE_3548_4412_2417.dmp2021-04-21 17:49:55.911 11241100x80000000000000001549407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.911{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274681_WINWORD.EXE_3548_4412_2416.dmp2021-04-21 17:49:55.910 11241100x80000000000000001549406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.910{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274682_WINWORD.EXE_3548_4412_2415.dmp2021-04-21 17:49:55.910 11241100x80000000000000001549405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.910{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274682_WINWORD.EXE_3548_4412_2414.dmp2021-04-21 17:49:55.909 11241100x80000000000000001549404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.909{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274683_WINWORD.EXE_3548_4412_2413.dmp2021-04-21 17:49:55.909 11241100x80000000000000001549403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.909{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274683_WINWORD.EXE_3548_4412_2412.dmp2021-04-21 17:49:55.908 11241100x80000000000000001549402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.908{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274684_WINWORD.EXE_3548_4412_2411.dmp2021-04-21 17:49:55.908 11241100x80000000000000001549401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.908{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274684_WINWORD.EXE_3548_4412_2410.dmp2021-04-21 17:49:55.908 11241100x80000000000000001549400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.907{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274685_WINWORD.EXE_3548_4412_2409.dmp2021-04-21 17:49:55.907 11241100x80000000000000001549399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.907{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274685_WINWORD.EXE_3548_4412_2408.dmp2021-04-21 17:49:55.907 11241100x80000000000000001549398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.906{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274686_WINWORD.EXE_3548_4412_2407.dmp2021-04-21 17:49:55.906 11241100x80000000000000001549397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.906{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274686_WINWORD.EXE_3548_4412_2406.dmp2021-04-21 17:49:55.906 11241100x80000000000000001549396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.905{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274687_WINWORD.EXE_3548_4412_2405.dmp2021-04-21 17:49:55.905 11241100x80000000000000001549395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.905{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274687_WINWORD.EXE_3548_4412_2404.dmp2021-04-21 17:49:55.905 11241100x80000000000000001549394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.904{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274687_WINWORD.EXE_3548_4412_2403.dmp2021-04-21 17:49:55.904 11241100x80000000000000001549393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274688_WINWORD.EXE_3548_4412_2402.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274689_WINWORD.EXE_3548_4412_2401.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274689_WINWORD.EXE_3548_4412_2400.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274689_WINWORD.EXE_3548_4412_2399.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274690_WINWORD.EXE_3548_4412_2398.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274690_WINWORD.EXE_3548_4412_2397.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274691_WINWORD.EXE_3548_4412_2396.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274691_WINWORD.EXE_3548_4412_2395.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274692_WINWORD.EXE_3548_4412_2394.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274692_WINWORD.EXE_3548_4412_2393.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274693_WINWORD.EXE_3548_4412_2392.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274693_WINWORD.EXE_3548_4412_2391.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274693_WINWORD.EXE_3548_4412_2390.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274694_WINWORD.EXE_3548_4412_2389.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274694_WINWORD.EXE_3548_4412_2388.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274695_WINWORD.EXE_3548_4412_2387.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274695_WINWORD.EXE_3548_4412_2386.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274696_WINWORD.EXE_3548_4412_2385.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274696_WINWORD.EXE_3548_4412_2384.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274697_WINWORD.EXE_3548_4412_2383.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274697_WINWORD.EXE_3548_4412_2382.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274697_WINWORD.EXE_3548_4412_2381.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274698_WINWORD.EXE_3548_4412_2380.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274698_WINWORD.EXE_3548_4412_2379.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274699_WINWORD.EXE_3548_4412_2378.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274699_WINWORD.EXE_3548_4412_2377.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274700_WINWORD.EXE_3548_4412_2376.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274700_WINWORD.EXE_3548_4412_2375.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274701_WINWORD.EXE_3548_4412_2374.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274701_WINWORD.EXE_3548_4412_2373.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274701_WINWORD.EXE_3548_4412_2372.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274702_WINWORD.EXE_3548_4412_2371.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274702_WINWORD.EXE_3548_4412_2370.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274703_WINWORD.EXE_3548_4412_2369.dmp2021-04-21 17:49:55.889 11241100x80000000000000001549359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.889{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274703_WINWORD.EXE_3548_4412_2368.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274704_WINWORD.EXE_3548_4412_2367.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274704_WINWORD.EXE_3548_4412_2366.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274705_WINWORD.EXE_3548_4412_2365.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274705_WINWORD.EXE_3548_4412_2364.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274706_WINWORD.EXE_3548_4412_2363.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274706_WINWORD.EXE_3548_4412_2362.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274706_WINWORD.EXE_3548_4412_2361.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274707_WINWORD.EXE_3548_4412_2360.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274707_WINWORD.EXE_3548_4412_2359.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274708_WINWORD.EXE_3548_4412_2358.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274708_WINWORD.EXE_3548_4412_2357.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274709_WINWORD.EXE_3548_4412_2356.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274709_WINWORD.EXE_3548_4412_2355.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274710_WINWORD.EXE_3548_4412_2354.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274710_WINWORD.EXE_3548_4412_2353.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274710_WINWORD.EXE_3548_4412_2352.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274711_WINWORD.EXE_3548_4412_2351.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274711_WINWORD.EXE_3548_4412_2350.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274712_WINWORD.EXE_3548_4412_2349.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274712_WINWORD.EXE_3548_4412_2348.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274713_WINWORD.EXE_3548_4412_2347.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274713_WINWORD.EXE_3548_4412_2346.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274714_WINWORD.EXE_3548_4412_2345.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274714_WINWORD.EXE_3548_4412_2344.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274715_WINWORD.EXE_3548_4412_2343.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 11241100x80000000000000001549332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274715_WINWORD.EXE_3548_4412_2342.dmp2021-04-21 17:49:55.873 23542300x80000000000000001549331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C672582971EAA52AB73FA7FA6207C5,SHA256=17374D711F0EE4AED0E9362B123836634B9D2032D23C48E2B688C95B2F43B6E7falsefalse - insufficient disk space 11241100x80000000000000001549330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274716_WINWORD.EXE_3548_4412_2341.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274716_WINWORD.EXE_3548_4412_2340.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274717_WINWORD.EXE_3548_4412_2339.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274718_WINWORD.EXE_3548_4412_2338.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274718_WINWORD.EXE_3548_4412_2337.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.873{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274719_WINWORD.EXE_3548_4412_2336.dmp2021-04-21 17:49:55.873 11241100x80000000000000001549324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274719_WINWORD.EXE_3548_4412_2335.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274720_WINWORD.EXE_3548_4412_2334.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274720_WINWORD.EXE_3548_4412_2333.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274720_WINWORD.EXE_3548_4412_2332.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274721_WINWORD.EXE_3548_4412_2331.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274721_WINWORD.EXE_3548_4412_2330.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274722_WINWORD.EXE_3548_4412_2329.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274722_WINWORD.EXE_3548_4412_2328.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274723_WINWORD.EXE_3548_4412_2327.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274723_WINWORD.EXE_3548_4412_2326.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274724_WINWORD.EXE_3548_4412_2325.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274724_WINWORD.EXE_3548_4412_2324.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274724_WINWORD.EXE_3548_4412_2323.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274725_WINWORD.EXE_3548_4412_2322.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274725_WINWORD.EXE_3548_4412_2321.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274726_WINWORD.EXE_3548_4412_2320.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274726_WINWORD.EXE_3548_4412_2319.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274727_WINWORD.EXE_3548_4412_2318.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274727_WINWORD.EXE_3548_4412_2317.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274727_WINWORD.EXE_3548_4412_2316.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274728_WINWORD.EXE_3548_4412_2315.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274728_WINWORD.EXE_3548_4412_2314.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274729_WINWORD.EXE_3548_4412_2313.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274729_WINWORD.EXE_3548_4412_2312.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274730_WINWORD.EXE_3548_4412_2311.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274730_WINWORD.EXE_3548_4412_2310.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274731_WINWORD.EXE_3548_4412_2309.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274731_WINWORD.EXE_3548_4412_2308.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274732_WINWORD.EXE_3548_4412_2307.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274732_WINWORD.EXE_3548_4412_2306.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274732_WINWORD.EXE_3548_4412_2305.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274733_WINWORD.EXE_3548_4412_2304.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274733_WINWORD.EXE_3548_4412_2303.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274734_WINWORD.EXE_3548_4412_2302.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.858{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274734_WINWORD.EXE_3548_4412_2301.dmp2021-04-21 17:49:55.858 11241100x80000000000000001549289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274735_WINWORD.EXE_3548_4412_2300.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274735_WINWORD.EXE_3548_4412_2299.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274736_WINWORD.EXE_3548_4412_2298.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274736_WINWORD.EXE_3548_4412_2297.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274736_WINWORD.EXE_3548_4412_2296.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274737_WINWORD.EXE_3548_4412_2295.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274737_WINWORD.EXE_3548_4412_2294.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274738_WINWORD.EXE_3548_4412_2293.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274738_WINWORD.EXE_3548_4412_2292.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274739_WINWORD.EXE_3548_4412_2291.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274739_WINWORD.EXE_3548_4412_2290.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274739_WINWORD.EXE_3548_4412_2289.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274740_WINWORD.EXE_3548_4412_2288.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274740_WINWORD.EXE_3548_4412_2287.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274741_WINWORD.EXE_3548_4412_2286.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274741_WINWORD.EXE_3548_4412_2285.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274742_WINWORD.EXE_3548_4412_2284.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274742_WINWORD.EXE_3548_4412_2283.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274742_WINWORD.EXE_3548_4412_2282.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274743_WINWORD.EXE_3548_4412_2281.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274743_WINWORD.EXE_3548_4412_2280.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274744_WINWORD.EXE_3548_4412_2279.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274744_WINWORD.EXE_3548_4412_2278.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274745_WINWORD.EXE_3548_4412_2277.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274745_WINWORD.EXE_3548_4412_2276.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274746_WINWORD.EXE_3548_4412_2275.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274746_WINWORD.EXE_3548_4412_2274.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274746_WINWORD.EXE_3548_4412_2273.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274747_WINWORD.EXE_3548_4412_2272.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274747_WINWORD.EXE_3548_4412_2271.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274748_WINWORD.EXE_3548_4412_2270.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274748_WINWORD.EXE_3548_4412_2269.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274749_WINWORD.EXE_3548_4412_2268.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274749_WINWORD.EXE_3548_4412_2267.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274749_WINWORD.EXE_3548_4412_2266.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.842{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274750_WINWORD.EXE_3548_4412_2265.dmp2021-04-21 17:49:55.842 11241100x80000000000000001549253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274750_WINWORD.EXE_3548_4412_2264.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274751_WINWORD.EXE_3548_4412_2263.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274751_WINWORD.EXE_3548_4412_2262.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274752_WINWORD.EXE_3548_4412_2261.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274752_WINWORD.EXE_3548_4412_2260.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274753_WINWORD.EXE_3548_4412_2259.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274753_WINWORD.EXE_3548_4412_2258.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274753_WINWORD.EXE_3548_4412_2257.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274754_WINWORD.EXE_3548_4412_2256.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274754_WINWORD.EXE_3548_4412_2255.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274755_WINWORD.EXE_3548_4412_2254.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274755_WINWORD.EXE_3548_4412_2253.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274756_WINWORD.EXE_3548_4412_2252.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274756_WINWORD.EXE_3548_4412_2251.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274757_WINWORD.EXE_3548_4412_2250.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274761_WINWORD.EXE_3548_4412_2249.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274761_WINWORD.EXE_3548_4412_2248.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274762_WINWORD.EXE_3548_4412_2247.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274762_WINWORD.EXE_3548_4412_2246.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274762_WINWORD.EXE_3548_4412_2245.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274763_WINWORD.EXE_3548_4412_2244.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274763_WINWORD.EXE_3548_4412_2243.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274764_WINWORD.EXE_3548_4412_2242.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274764_WINWORD.EXE_3548_4412_2241.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274765_WINWORD.EXE_3548_4412_2240.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274765_WINWORD.EXE_3548_4412_2239.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.826{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274766_WINWORD.EXE_3548_4412_2238.dmp2021-04-21 17:49:55.826 11241100x80000000000000001549226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274766_WINWORD.EXE_3548_4412_2237.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274766_WINWORD.EXE_3548_4412_2236.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274767_WINWORD.EXE_3548_4412_2235.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274767_WINWORD.EXE_3548_4412_2234.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274768_WINWORD.EXE_3548_4412_2233.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274768_WINWORD.EXE_3548_4412_2232.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274771_WINWORD.EXE_3548_4412_2231.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274771_WINWORD.EXE_3548_4412_2230.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274772_WINWORD.EXE_3548_4412_2229.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274772_WINWORD.EXE_3548_4412_2228.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274773_WINWORD.EXE_3548_4412_2227.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274773_WINWORD.EXE_3548_4412_2226.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274773_WINWORD.EXE_3548_4412_2225.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274774_WINWORD.EXE_3548_4412_2224.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274774_WINWORD.EXE_3548_4412_2223.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274775_WINWORD.EXE_3548_4412_2222.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274775_WINWORD.EXE_3548_4412_2221.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274776_WINWORD.EXE_3548_4412_2220.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274776_WINWORD.EXE_3548_4412_2219.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274776_WINWORD.EXE_3548_4412_2218.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274777_WINWORD.EXE_3548_4412_2217.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274777_WINWORD.EXE_3548_4412_2216.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274778_WINWORD.EXE_3548_4412_2215.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274778_WINWORD.EXE_3548_4412_2214.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274779_WINWORD.EXE_3548_4412_2213.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274779_WINWORD.EXE_3548_4412_2212.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274780_WINWORD.EXE_3548_4412_2211.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274780_WINWORD.EXE_3548_4412_2210.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274780_WINWORD.EXE_3548_4412_2209.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274781_WINWORD.EXE_3548_4412_2208.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.811{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274781_WINWORD.EXE_3548_4412_2207.dmp2021-04-21 17:49:55.811 11241100x80000000000000001549195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.810{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274782_WINWORD.EXE_3548_4412_2206.dmp2021-04-21 17:49:55.810 11241100x80000000000000001549194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.810{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274782_WINWORD.EXE_3548_4412_2205.dmp2021-04-21 17:49:55.810 11241100x80000000000000001549193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.809{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274783_WINWORD.EXE_3548_4412_2204.dmp2021-04-21 17:49:55.809 11241100x80000000000000001549192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.809{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274783_WINWORD.EXE_3548_4412_2203.dmp2021-04-21 17:49:55.809 11241100x80000000000000001549191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.809{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274784_WINWORD.EXE_3548_4412_2202.dmp2021-04-21 17:49:55.808 11241100x80000000000000001549190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.808{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274784_WINWORD.EXE_3548_4412_2201.dmp2021-04-21 17:49:55.808 11241100x80000000000000001549189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.808{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274784_WINWORD.EXE_3548_4412_2200.dmp2021-04-21 17:49:55.807 11241100x80000000000000001549188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.807{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274785_WINWORD.EXE_3548_4412_2199.dmp2021-04-21 17:49:55.807 11241100x80000000000000001549187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.807{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274785_WINWORD.EXE_3548_4412_2198.dmp2021-04-21 17:49:55.807 11241100x80000000000000001549186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.806{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274786_WINWORD.EXE_3548_4412_2197.dmp2021-04-21 17:49:55.806 11241100x80000000000000001549185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.806{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274786_WINWORD.EXE_3548_4412_2196.dmp2021-04-21 17:49:55.806 11241100x80000000000000001549184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.805{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274787_WINWORD.EXE_3548_4412_2195.dmp2021-04-21 17:49:55.805 11241100x80000000000000001549183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.805{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274787_WINWORD.EXE_3548_4412_2194.dmp2021-04-21 17:49:55.805 11241100x80000000000000001549182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.804{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274788_WINWORD.EXE_3548_4412_2193.dmp2021-04-21 17:49:55.804 11241100x80000000000000001549181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274788_WINWORD.EXE_3548_4412_2192.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274788_WINWORD.EXE_3548_4412_2191.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274789_WINWORD.EXE_3548_4412_2190.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274789_WINWORD.EXE_3548_4412_2189.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274790_WINWORD.EXE_3548_4412_2188.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274790_WINWORD.EXE_3548_4412_2187.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274791_WINWORD.EXE_3548_4412_2186.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274791_WINWORD.EXE_3548_4412_2185.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274791_WINWORD.EXE_3548_4412_2184.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274792_WINWORD.EXE_3548_4412_2183.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274792_WINWORD.EXE_3548_4412_2182.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274793_WINWORD.EXE_3548_4412_2181.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274793_WINWORD.EXE_3548_4412_2180.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274794_WINWORD.EXE_3548_4412_2179.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274794_WINWORD.EXE_3548_4412_2178.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274794_WINWORD.EXE_3548_4412_2177.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274795_WINWORD.EXE_3548_4412_2176.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274795_WINWORD.EXE_3548_4412_2175.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274796_WINWORD.EXE_3548_4412_2174.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274796_WINWORD.EXE_3548_4412_2173.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274797_WINWORD.EXE_3548_4412_2172.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274797_WINWORD.EXE_3548_4412_2171.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274798_WINWORD.EXE_3548_4412_2170.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274798_WINWORD.EXE_3548_4412_2169.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274798_WINWORD.EXE_3548_4412_2168.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274799_WINWORD.EXE_3548_4412_2167.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274799_WINWORD.EXE_3548_4412_2166.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274800_WINWORD.EXE_3548_4412_2165.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274800_WINWORD.EXE_3548_4412_2164.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274801_WINWORD.EXE_3548_4412_2163.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274801_WINWORD.EXE_3548_4412_2162.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274801_WINWORD.EXE_3548_4412_2161.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274802_WINWORD.EXE_3548_4412_2160.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274802_WINWORD.EXE_3548_4412_2159.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274803_WINWORD.EXE_3548_4412_2158.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274803_WINWORD.EXE_3548_4412_2157.dmp2021-04-21 17:49:55.789 11241100x80000000000000001549145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.789{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274804_WINWORD.EXE_3548_4412_2156.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274804_WINWORD.EXE_3548_4412_2155.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274805_WINWORD.EXE_3548_4412_2154.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274805_WINWORD.EXE_3548_4412_2153.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274805_WINWORD.EXE_3548_4412_2152.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274806_WINWORD.EXE_3548_4412_2151.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274806_WINWORD.EXE_3548_4412_2150.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274807_WINWORD.EXE_3548_4412_2149.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274807_WINWORD.EXE_3548_4412_2148.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274808_WINWORD.EXE_3548_4412_2147.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274808_WINWORD.EXE_3548_4412_2146.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274809_WINWORD.EXE_3548_4412_2145.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274809_WINWORD.EXE_3548_4412_2144.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274810_WINWORD.EXE_3548_4412_2143.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274810_WINWORD.EXE_3548_4412_2142.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274810_WINWORD.EXE_3548_4412_2141.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274811_WINWORD.EXE_3548_4412_2140.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274811_WINWORD.EXE_3548_4412_2139.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274812_WINWORD.EXE_3548_4412_2138.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274812_WINWORD.EXE_3548_4412_2137.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274813_WINWORD.EXE_3548_4412_2136.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274813_WINWORD.EXE_3548_4412_2135.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274813_WINWORD.EXE_3548_4412_2134.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274814_WINWORD.EXE_3548_4412_2133.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274814_WINWORD.EXE_3548_4412_2132.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274815_WINWORD.EXE_3548_4412_2131.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274815_WINWORD.EXE_3548_4412_2130.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274816_WINWORD.EXE_3548_4412_2129.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274816_WINWORD.EXE_3548_4412_2128.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274816_WINWORD.EXE_3548_4412_2127.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274817_WINWORD.EXE_3548_4412_2126.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274817_WINWORD.EXE_3548_4412_2125.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274818_WINWORD.EXE_3548_4412_2124.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274818_WINWORD.EXE_3548_4412_2123.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274819_WINWORD.EXE_3548_4412_2122.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.773{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274819_WINWORD.EXE_3548_4412_2121.dmp2021-04-21 17:49:55.773 11241100x80000000000000001549109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274820_WINWORD.EXE_3548_4412_2120.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274820_WINWORD.EXE_3548_4412_2119.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274820_WINWORD.EXE_3548_4412_2118.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274821_WINWORD.EXE_3548_4412_2117.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274821_WINWORD.EXE_3548_4412_2116.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274822_WINWORD.EXE_3548_4412_2115.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274822_WINWORD.EXE_3548_4412_2114.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274823_WINWORD.EXE_3548_4412_2113.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274823_WINWORD.EXE_3548_4412_2112.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274824_WINWORD.EXE_3548_4412_2111.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274824_WINWORD.EXE_3548_4412_2110.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274824_WINWORD.EXE_3548_4412_2109.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274825_WINWORD.EXE_3548_4412_2108.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274825_WINWORD.EXE_3548_4412_2107.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274826_WINWORD.EXE_3548_4412_2106.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274826_WINWORD.EXE_3548_4412_2105.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274826_WINWORD.EXE_3548_4412_2104.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274827_WINWORD.EXE_3548_4412_2103.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274827_WINWORD.EXE_3548_4412_2102.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274828_WINWORD.EXE_3548_4412_2101.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274828_WINWORD.EXE_3548_4412_2100.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274829_WINWORD.EXE_3548_4412_2099.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274829_WINWORD.EXE_3548_4412_2098.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274830_WINWORD.EXE_3548_4412_2097.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274830_WINWORD.EXE_3548_4412_2096.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274830_WINWORD.EXE_3548_4412_2095.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274831_WINWORD.EXE_3548_4412_2094.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274831_WINWORD.EXE_3548_4412_2093.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274832_WINWORD.EXE_3548_4412_2092.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274832_WINWORD.EXE_3548_4412_2091.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274833_WINWORD.EXE_3548_4412_2090.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274833_WINWORD.EXE_3548_4412_2089.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274834_WINWORD.EXE_3548_4412_2088.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274834_WINWORD.EXE_3548_4412_2087.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274834_WINWORD.EXE_3548_4412_2086.dmp2021-04-21 17:49:55.757 11241100x80000000000000001549074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.757{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274835_WINWORD.EXE_3548_4412_2085.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274835_WINWORD.EXE_3548_4412_2084.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274836_WINWORD.EXE_3548_4412_2083.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274836_WINWORD.EXE_3548_4412_2082.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274837_WINWORD.EXE_3548_4412_2081.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274837_WINWORD.EXE_3548_4412_2080.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274838_WINWORD.EXE_3548_4412_2079.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274838_WINWORD.EXE_3548_4412_2078.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274838_WINWORD.EXE_3548_4412_2077.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274839_WINWORD.EXE_3548_4412_2076.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274839_WINWORD.EXE_3548_4412_2075.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274840_WINWORD.EXE_3548_4412_2074.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274840_WINWORD.EXE_3548_4412_2073.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274841_WINWORD.EXE_3548_4412_2072.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274841_WINWORD.EXE_3548_4412_2071.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274841_WINWORD.EXE_3548_4412_2070.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274842_WINWORD.EXE_3548_4412_2069.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274842_WINWORD.EXE_3548_4412_2068.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274843_WINWORD.EXE_3548_4412_2067.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274843_WINWORD.EXE_3548_4412_2066.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274844_WINWORD.EXE_3548_4412_2065.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274844_WINWORD.EXE_3548_4412_2064.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274844_WINWORD.EXE_3548_4412_2063.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274845_WINWORD.EXE_3548_4412_2062.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274845_WINWORD.EXE_3548_4412_2061.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274846_WINWORD.EXE_3548_4412_2060.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274846_WINWORD.EXE_3548_4412_2059.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274847_WINWORD.EXE_3548_4412_2058.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274847_WINWORD.EXE_3548_4412_2057.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274847_WINWORD.EXE_3548_4412_2056.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274848_WINWORD.EXE_3548_4412_2055.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274848_WINWORD.EXE_3548_4412_2054.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274849_WINWORD.EXE_3548_4412_2053.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274849_WINWORD.EXE_3548_4412_2052.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274850_WINWORD.EXE_3548_4412_2051.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.742{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274850_WINWORD.EXE_3548_4412_2050.dmp2021-04-21 17:49:55.742 11241100x80000000000000001549038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274851_WINWORD.EXE_3548_4412_2049.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274851_WINWORD.EXE_3548_4412_2048.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274851_WINWORD.EXE_3548_4412_2047.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274852_WINWORD.EXE_3548_4412_2046.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274852_WINWORD.EXE_3548_4412_2045.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274853_WINWORD.EXE_3548_4412_2044.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274853_WINWORD.EXE_3548_4412_2043.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274854_WINWORD.EXE_3548_4412_2042.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274854_WINWORD.EXE_3548_4412_2041.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274854_WINWORD.EXE_3548_4412_2040.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274855_WINWORD.EXE_3548_4412_2039.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274855_WINWORD.EXE_3548_4412_2038.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274856_WINWORD.EXE_3548_4412_2037.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274856_WINWORD.EXE_3548_4412_2036.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274857_WINWORD.EXE_3548_4412_2035.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274857_WINWORD.EXE_3548_4412_2034.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274857_WINWORD.EXE_3548_4412_2033.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274858_WINWORD.EXE_3548_4412_2032.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274858_WINWORD.EXE_3548_4412_2031.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274859_WINWORD.EXE_3548_4412_2030.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274859_WINWORD.EXE_3548_4412_2029.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274860_WINWORD.EXE_3548_4412_2028.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274860_WINWORD.EXE_3548_4412_2027.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274860_WINWORD.EXE_3548_4412_2026.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274861_WINWORD.EXE_3548_4412_2025.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274861_WINWORD.EXE_3548_4412_2024.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274862_WINWORD.EXE_3548_4412_2023.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274862_WINWORD.EXE_3548_4412_2022.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274863_WINWORD.EXE_3548_4412_2021.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274863_WINWORD.EXE_3548_4412_2020.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274863_WINWORD.EXE_3548_4412_2019.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274864_WINWORD.EXE_3548_4412_2018.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274864_WINWORD.EXE_3548_4412_2017.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274865_WINWORD.EXE_3548_4412_2016.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274865_WINWORD.EXE_3548_4412_2015.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.726{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274866_WINWORD.EXE_3548_4412_2014.dmp2021-04-21 17:49:55.726 11241100x80000000000000001549002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274866_WINWORD.EXE_3548_4412_2013.dmp2021-04-21 17:49:55.710 11241100x80000000000000001549001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274867_WINWORD.EXE_3548_4412_2012.dmp2021-04-21 17:49:55.710 11241100x80000000000000001549000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274867_WINWORD.EXE_3548_4412_2011.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274868_WINWORD.EXE_3548_4412_2010.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274868_WINWORD.EXE_3548_4412_2009.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274869_WINWORD.EXE_3548_4412_2008.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274869_WINWORD.EXE_3548_4412_2007.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274869_WINWORD.EXE_3548_4412_2006.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274870_WINWORD.EXE_3548_4412_2005.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274870_WINWORD.EXE_3548_4412_2004.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274871_WINWORD.EXE_3548_4412_2003.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274871_WINWORD.EXE_3548_4412_2002.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274872_WINWORD.EXE_3548_4412_2001.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274872_WINWORD.EXE_3548_4412_2000.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274873_WINWORD.EXE_3548_4412_1999.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274873_WINWORD.EXE_3548_4412_1998.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274873_WINWORD.EXE_3548_4412_1997.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274874_WINWORD.EXE_3548_4412_1996.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274874_WINWORD.EXE_3548_4412_1995.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274877_WINWORD.EXE_3548_4412_1994.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274878_WINWORD.EXE_3548_4412_1993.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274878_WINWORD.EXE_3548_4412_1992.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274878_WINWORD.EXE_3548_4412_1991.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274879_WINWORD.EXE_3548_4412_1990.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274879_WINWORD.EXE_3548_4412_1989.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274880_WINWORD.EXE_3548_4412_1988.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274880_WINWORD.EXE_3548_4412_1987.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274881_WINWORD.EXE_3548_4412_1986.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274881_WINWORD.EXE_3548_4412_1985.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274882_WINWORD.EXE_3548_4412_1984.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.710{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274882_WINWORD.EXE_3548_4412_1983.dmp2021-04-21 17:49:55.710 11241100x80000000000000001548971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.709{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274882_WINWORD.EXE_3548_4412_1982.dmp2021-04-21 17:49:55.709 11241100x80000000000000001548970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.709{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274883_WINWORD.EXE_3548_4412_1981.dmp2021-04-21 17:49:55.709 11241100x80000000000000001548969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.708{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274883_WINWORD.EXE_3548_4412_1980.dmp2021-04-21 17:49:55.708 11241100x80000000000000001548968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.708{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274884_WINWORD.EXE_3548_4412_1979.dmp2021-04-21 17:49:55.708 11241100x80000000000000001548967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.708{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274884_WINWORD.EXE_3548_4412_1978.dmp2021-04-21 17:49:55.707 11241100x80000000000000001548966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.707{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274885_WINWORD.EXE_3548_4412_1977.dmp2021-04-21 17:49:55.707 11241100x80000000000000001548965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.707{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274885_WINWORD.EXE_3548_4412_1976.dmp2021-04-21 17:49:55.707 11241100x80000000000000001548964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.706{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274886_WINWORD.EXE_3548_4412_1975.dmp2021-04-21 17:49:55.706 11241100x80000000000000001548963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.706{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274886_WINWORD.EXE_3548_4412_1974.dmp2021-04-21 17:49:55.706 11241100x80000000000000001548962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.705{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274887_WINWORD.EXE_3548_4412_1973.dmp2021-04-21 17:49:55.705 11241100x80000000000000001548961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.705{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274887_WINWORD.EXE_3548_4412_1972.dmp2021-04-21 17:49:55.705 11241100x80000000000000001548960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.704{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274887_WINWORD.EXE_3548_4412_1971.dmp2021-04-21 17:49:55.704 11241100x80000000000000001548959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.704{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274888_WINWORD.EXE_3548_4412_1970.dmp2021-04-21 17:49:55.704 11241100x80000000000000001548958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274888_WINWORD.EXE_3548_4412_1969.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274889_WINWORD.EXE_3548_4412_1968.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274889_WINWORD.EXE_3548_4412_1967.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274890_WINWORD.EXE_3548_4412_1966.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274890_WINWORD.EXE_3548_4412_1965.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274891_WINWORD.EXE_3548_4412_1964.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274891_WINWORD.EXE_3548_4412_1963.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274891_WINWORD.EXE_3548_4412_1962.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274892_WINWORD.EXE_3548_4412_1961.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274892_WINWORD.EXE_3548_4412_1960.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274893_WINWORD.EXE_3548_4412_1959.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274893_WINWORD.EXE_3548_4412_1958.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274894_WINWORD.EXE_3548_4412_1957.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274894_WINWORD.EXE_3548_4412_1956.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274894_WINWORD.EXE_3548_4412_1955.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274895_WINWORD.EXE_3548_4412_1954.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274895_WINWORD.EXE_3548_4412_1953.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274896_WINWORD.EXE_3548_4412_1952.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274896_WINWORD.EXE_3548_4412_1951.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274897_WINWORD.EXE_3548_4412_1950.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274897_WINWORD.EXE_3548_4412_1949.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274898_WINWORD.EXE_3548_4412_1948.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274898_WINWORD.EXE_3548_4412_1947.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274898_WINWORD.EXE_3548_4412_1946.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274899_WINWORD.EXE_3548_4412_1945.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274899_WINWORD.EXE_3548_4412_1944.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274900_WINWORD.EXE_3548_4412_1943.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274900_WINWORD.EXE_3548_4412_1942.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274901_WINWORD.EXE_3548_4412_1941.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274901_WINWORD.EXE_3548_4412_1940.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274902_WINWORD.EXE_3548_4412_1939.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274902_WINWORD.EXE_3548_4412_1938.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274902_WINWORD.EXE_3548_4412_1937.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274903_WINWORD.EXE_3548_4412_1936.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274903_WINWORD.EXE_3548_4412_1935.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.688{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274904_WINWORD.EXE_3548_4412_1934.dmp2021-04-21 17:49:55.688 11241100x80000000000000001548922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274904_WINWORD.EXE_3548_4412_1933.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274905_WINWORD.EXE_3548_4412_1932.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274905_WINWORD.EXE_3548_4412_1931.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274906_WINWORD.EXE_3548_4412_1930.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274906_WINWORD.EXE_3548_4412_1929.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274906_WINWORD.EXE_3548_4412_1928.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274907_WINWORD.EXE_3548_4412_1927.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274907_WINWORD.EXE_3548_4412_1926.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274908_WINWORD.EXE_3548_4412_1925.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274908_WINWORD.EXE_3548_4412_1924.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274909_WINWORD.EXE_3548_4412_1923.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274909_WINWORD.EXE_3548_4412_1922.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274909_WINWORD.EXE_3548_4412_1921.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274910_WINWORD.EXE_3548_4412_1920.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274910_WINWORD.EXE_3548_4412_1919.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274911_WINWORD.EXE_3548_4412_1918.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274911_WINWORD.EXE_3548_4412_1917.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274912_WINWORD.EXE_3548_4412_1916.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274912_WINWORD.EXE_3548_4412_1915.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274913_WINWORD.EXE_3548_4412_1914.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274913_WINWORD.EXE_3548_4412_1913.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274913_WINWORD.EXE_3548_4412_1912.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274914_WINWORD.EXE_3548_4412_1911.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274914_WINWORD.EXE_3548_4412_1910.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274915_WINWORD.EXE_3548_4412_1909.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274915_WINWORD.EXE_3548_4412_1908.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274916_WINWORD.EXE_3548_4412_1907.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274916_WINWORD.EXE_3548_4412_1906.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274917_WINWORD.EXE_3548_4412_1905.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274917_WINWORD.EXE_3548_4412_1904.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274917_WINWORD.EXE_3548_4412_1903.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274918_WINWORD.EXE_3548_4412_1902.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274918_WINWORD.EXE_3548_4412_1901.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274919_WINWORD.EXE_3548_4412_1900.dmp2021-04-21 17:49:55.673 11241100x80000000000000001548888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.673{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274919_WINWORD.EXE_3548_4412_1899.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274920_WINWORD.EXE_3548_4412_1898.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274920_WINWORD.EXE_3548_4412_1897.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274921_WINWORD.EXE_3548_4412_1896.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274921_WINWORD.EXE_3548_4412_1895.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274922_WINWORD.EXE_3548_4412_1894.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274922_WINWORD.EXE_3548_4412_1893.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274923_WINWORD.EXE_3548_4412_1892.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274923_WINWORD.EXE_3548_4412_1891.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274923_WINWORD.EXE_3548_4412_1890.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274924_WINWORD.EXE_3548_4412_1889.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274924_WINWORD.EXE_3548_4412_1888.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274925_WINWORD.EXE_3548_4412_1887.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274925_WINWORD.EXE_3548_4412_1886.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274926_WINWORD.EXE_3548_4412_1885.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274926_WINWORD.EXE_3548_4412_1884.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274926_WINWORD.EXE_3548_4412_1883.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274927_WINWORD.EXE_3548_4412_1882.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274927_WINWORD.EXE_3548_4412_1881.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274928_WINWORD.EXE_3548_4412_1880.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274928_WINWORD.EXE_3548_4412_1879.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274929_WINWORD.EXE_3548_4412_1878.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274929_WINWORD.EXE_3548_4412_1877.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274930_WINWORD.EXE_3548_4412_1876.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274930_WINWORD.EXE_3548_4412_1875.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274930_WINWORD.EXE_3548_4412_1874.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274931_WINWORD.EXE_3548_4412_1873.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274931_WINWORD.EXE_3548_4412_1872.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274932_WINWORD.EXE_3548_4412_1871.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274932_WINWORD.EXE_3548_4412_1870.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274933_WINWORD.EXE_3548_4412_1869.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274933_WINWORD.EXE_3548_4412_1868.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274933_WINWORD.EXE_3548_4412_1867.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274934_WINWORD.EXE_3548_4412_1866.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274934_WINWORD.EXE_3548_4412_1865.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.657{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274935_WINWORD.EXE_3548_4412_1864.dmp2021-04-21 17:49:55.657 11241100x80000000000000001548852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274935_WINWORD.EXE_3548_4412_1863.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274936_WINWORD.EXE_3548_4412_1862.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274936_WINWORD.EXE_3548_4412_1861.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274937_WINWORD.EXE_3548_4412_1860.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274937_WINWORD.EXE_3548_4412_1859.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274937_WINWORD.EXE_3548_4412_1858.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274938_WINWORD.EXE_3548_4412_1857.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274938_WINWORD.EXE_3548_4412_1856.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274939_WINWORD.EXE_3548_4412_1855.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274939_WINWORD.EXE_3548_4412_1854.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274940_WINWORD.EXE_3548_4412_1853.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274940_WINWORD.EXE_3548_4412_1852.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274941_WINWORD.EXE_3548_4412_1851.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274941_WINWORD.EXE_3548_4412_1850.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274941_WINWORD.EXE_3548_4412_1849.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274942_WINWORD.EXE_3548_4412_1848.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274942_WINWORD.EXE_3548_4412_1847.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274943_WINWORD.EXE_3548_4412_1846.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274943_WINWORD.EXE_3548_4412_1845.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274944_WINWORD.EXE_3548_4412_1844.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274944_WINWORD.EXE_3548_4412_1843.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274944_WINWORD.EXE_3548_4412_1842.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274945_WINWORD.EXE_3548_4412_1841.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274945_WINWORD.EXE_3548_4412_1840.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274946_WINWORD.EXE_3548_4412_1839.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274946_WINWORD.EXE_3548_4412_1838.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274947_WINWORD.EXE_3548_4412_1837.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274947_WINWORD.EXE_3548_4412_1836.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274948_WINWORD.EXE_3548_4412_1835.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274948_WINWORD.EXE_3548_4412_1834.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274948_WINWORD.EXE_3548_4412_1833.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274949_WINWORD.EXE_3548_4412_1832.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274949_WINWORD.EXE_3548_4412_1831.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274950_WINWORD.EXE_3548_4412_1830.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.641{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274950_WINWORD.EXE_3548_4412_1829.dmp2021-04-21 17:49:55.641 11241100x80000000000000001548817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274951_WINWORD.EXE_3548_4412_1828.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274951_WINWORD.EXE_3548_4412_1827.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274952_WINWORD.EXE_3548_4412_1826.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274952_WINWORD.EXE_3548_4412_1825.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274953_WINWORD.EXE_3548_4412_1824.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274953_WINWORD.EXE_3548_4412_1823.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274954_WINWORD.EXE_3548_4412_1822.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274954_WINWORD.EXE_3548_4412_1821.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274954_WINWORD.EXE_3548_4412_1820.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274955_WINWORD.EXE_3548_4412_1819.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274955_WINWORD.EXE_3548_4412_1818.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274956_WINWORD.EXE_3548_4412_1817.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274956_WINWORD.EXE_3548_4412_1816.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274957_WINWORD.EXE_3548_4412_1815.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274957_WINWORD.EXE_3548_4412_1814.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274958_WINWORD.EXE_3548_4412_1813.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274958_WINWORD.EXE_3548_4412_1812.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274958_WINWORD.EXE_3548_4412_1811.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274959_WINWORD.EXE_3548_4412_1810.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274959_WINWORD.EXE_3548_4412_1809.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274960_WINWORD.EXE_3548_4412_1808.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274960_WINWORD.EXE_3548_4412_1807.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274961_WINWORD.EXE_3548_4412_1806.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274961_WINWORD.EXE_3548_4412_1805.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274962_WINWORD.EXE_3548_4412_1804.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274962_WINWORD.EXE_3548_4412_1803.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274963_WINWORD.EXE_3548_4412_1802.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274963_WINWORD.EXE_3548_4412_1801.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274964_WINWORD.EXE_3548_4412_1800.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274964_WINWORD.EXE_3548_4412_1799.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274964_WINWORD.EXE_3548_4412_1798.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274965_WINWORD.EXE_3548_4412_1797.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274965_WINWORD.EXE_3548_4412_1796.dmp2021-04-21 17:49:55.626 11241100x80000000000000001548784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.626{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274966_WINWORD.EXE_3548_4412_1795.dmp2021-04-21 17:49:55.626 13241300x80000000000000001548783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.626{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001B034A\VirtualDesktopBinary Data 12241200x80000000000000001548782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.626{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001B034A 11241100x80000000000000001548781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274967_WINWORD.EXE_3548_4412_1794.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274967_WINWORD.EXE_3548_4412_1793.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274967_WINWORD.EXE_3548_4412_1792.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274968_WINWORD.EXE_3548_4412_1791.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274968_WINWORD.EXE_3548_4412_1790.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274969_WINWORD.EXE_3548_4412_1789.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274969_WINWORD.EXE_3548_4412_1788.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274970_WINWORD.EXE_3548_4412_1787.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274970_WINWORD.EXE_3548_4412_1786.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274970_WINWORD.EXE_3548_4412_1785.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274971_WINWORD.EXE_3548_4412_1784.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274971_WINWORD.EXE_3548_4412_1783.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274972_WINWORD.EXE_3548_4412_1782.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274972_WINWORD.EXE_3548_4412_1781.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274973_WINWORD.EXE_3548_4412_1780.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274973_WINWORD.EXE_3548_4412_1779.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274973_WINWORD.EXE_3548_4412_1778.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274974_WINWORD.EXE_3548_4412_1777.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274974_WINWORD.EXE_3548_4412_1776.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274975_WINWORD.EXE_3548_4412_1775.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274975_WINWORD.EXE_3548_4412_1774.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274976_WINWORD.EXE_3548_4412_1773.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274976_WINWORD.EXE_3548_4412_1772.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274977_WINWORD.EXE_3548_4412_1771.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274977_WINWORD.EXE_3548_4412_1770.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274977_WINWORD.EXE_3548_4412_1769.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274978_WINWORD.EXE_3548_4412_1768.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274978_WINWORD.EXE_3548_4412_1767.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274979_WINWORD.EXE_3548_4412_1766.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274979_WINWORD.EXE_3548_4412_1765.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274980_WINWORD.EXE_3548_4412_1764.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274980_WINWORD.EXE_3548_4412_1763.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274980_WINWORD.EXE_3548_4412_1762.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274981_WINWORD.EXE_3548_4412_1761.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274981_WINWORD.EXE_3548_4412_1760.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274982_WINWORD.EXE_3548_4412_1759.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.610{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274982_WINWORD.EXE_3548_4412_1758.dmp2021-04-21 17:49:55.610 11241100x80000000000000001548744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.609{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274983_WINWORD.EXE_3548_4412_1757.dmp2021-04-21 17:49:55.609 11241100x80000000000000001548743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.609{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274983_WINWORD.EXE_3548_4412_1756.dmp2021-04-21 17:49:55.609 11241100x80000000000000001548742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.608{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274984_WINWORD.EXE_3548_4412_1755.dmp2021-04-21 17:49:55.608 11241100x80000000000000001548741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.608{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274984_WINWORD.EXE_3548_4412_1754.dmp2021-04-21 17:49:55.608 11241100x80000000000000001548740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.608{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274985_WINWORD.EXE_3548_4412_1753.dmp2021-04-21 17:49:55.607 11241100x80000000000000001548739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.607{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274985_WINWORD.EXE_3548_4412_1752.dmp2021-04-21 17:49:55.607 11241100x80000000000000001548738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.607{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274985_WINWORD.EXE_3548_4412_1751.dmp2021-04-21 17:49:55.606 11241100x80000000000000001548737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.606{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274986_WINWORD.EXE_3548_4412_1750.dmp2021-04-21 17:49:55.606 11241100x80000000000000001548736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.606{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274986_WINWORD.EXE_3548_4412_1749.dmp2021-04-21 17:49:55.606 11241100x80000000000000001548735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.605{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274987_WINWORD.EXE_3548_4412_1748.dmp2021-04-21 17:49:55.605 11241100x80000000000000001548734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.605{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274987_WINWORD.EXE_3548_4412_1747.dmp2021-04-21 17:49:55.605 11241100x80000000000000001548733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.604{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274988_WINWORD.EXE_3548_4412_1746.dmp2021-04-21 17:49:55.604 11241100x80000000000000001548732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.604{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274988_WINWORD.EXE_3548_4412_1745.dmp2021-04-21 17:49:55.604 11241100x80000000000000001548731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274989_WINWORD.EXE_3548_4412_1744.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274989_WINWORD.EXE_3548_4412_1743.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274990_WINWORD.EXE_3548_4412_1742.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274990_WINWORD.EXE_3548_4412_1741.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274990_WINWORD.EXE_3548_4412_1740.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274991_WINWORD.EXE_3548_4412_1739.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274995_WINWORD.EXE_3548_4412_1738.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274995_WINWORD.EXE_3548_4412_1737.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274996_WINWORD.EXE_3548_4412_1736.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274996_WINWORD.EXE_3548_4412_1735.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274997_WINWORD.EXE_3548_4412_1734.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274997_WINWORD.EXE_3548_4412_1733.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274997_WINWORD.EXE_3548_4412_1732.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274998_WINWORD.EXE_3548_4412_1731.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274998_WINWORD.EXE_3548_4412_1730.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274999_WINWORD.EXE_3548_4412_1729.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175274999_WINWORD.EXE_3548_4412_1728.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275000_WINWORD.EXE_3548_4412_1727.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275000_WINWORD.EXE_3548_4412_1726.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275001_WINWORD.EXE_3548_4412_1725.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275001_WINWORD.EXE_3548_4412_1724.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275001_WINWORD.EXE_3548_4412_1723.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275002_WINWORD.EXE_3548_4412_1722.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275002_WINWORD.EXE_3548_4412_1721.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275003_WINWORD.EXE_3548_4412_1720.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275003_WINWORD.EXE_3548_4412_1719.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.588{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275004_WINWORD.EXE_3548_4412_1718.dmp2021-04-21 17:49:55.588 11241100x80000000000000001548704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275004_WINWORD.EXE_3548_4412_1717.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275005_WINWORD.EXE_3548_4412_1716.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275005_WINWORD.EXE_3548_4412_1715.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275006_WINWORD.EXE_3548_4412_1714.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275006_WINWORD.EXE_3548_4412_1713.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275007_WINWORD.EXE_3548_4412_1712.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275007_WINWORD.EXE_3548_4412_1711.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275007_WINWORD.EXE_3548_4412_1710.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275008_WINWORD.EXE_3548_4412_1709.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275008_WINWORD.EXE_3548_4412_1708.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275009_WINWORD.EXE_3548_4412_1707.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275009_WINWORD.EXE_3548_4412_1706.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275010_WINWORD.EXE_3548_4412_1705.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275010_WINWORD.EXE_3548_4412_1704.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275011_WINWORD.EXE_3548_4412_1703.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275011_WINWORD.EXE_3548_4412_1702.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275011_WINWORD.EXE_3548_4412_1701.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275012_WINWORD.EXE_3548_4412_1700.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275012_WINWORD.EXE_3548_4412_1699.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275013_WINWORD.EXE_3548_4412_1698.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275013_WINWORD.EXE_3548_4412_1697.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275014_WINWORD.EXE_3548_4412_1696.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275014_WINWORD.EXE_3548_4412_1695.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275018_WINWORD.EXE_3548_4412_1694.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275018_WINWORD.EXE_3548_4412_1693.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275019_WINWORD.EXE_3548_4412_1692.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275019_WINWORD.EXE_3548_4412_1691.dmp2021-04-21 17:49:55.572 11241100x80000000000000001548677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.572{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275020_WINWORD.EXE_3548_4412_1690.dmp2021-04-21 17:49:55.557 11241100x80000000000000001548676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275020_WINWORD.EXE_3548_4412_1689.dmp2021-04-21 17:49:55.557 11241100x80000000000000001548675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275021_WINWORD.EXE_3548_4412_1688.dmp2021-04-21 17:49:55.557 11241100x80000000000000001548674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275021_WINWORD.EXE_3548_4412_1687.dmp2021-04-21 17:49:55.557 11241100x80000000000000001548673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275021_WINWORD.EXE_3548_4412_1686.dmp2021-04-21 17:49:55.557 11241100x80000000000000001548672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275022_WINWORD.EXE_3548_4412_1685.dmp2021-04-21 17:49:55.557 11241100x80000000000000001548671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275022_WINWORD.EXE_3548_4412_1684.dmp2021-04-21 17:49:55.557 11241100x80000000000000001548670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275023_WINWORD.EXE_3548_4412_1683.dmp2021-04-21 17:49:55.557 11241100x80000000000000001548669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275023_WINWORD.EXE_3548_4412_1682.dmp2021-04-21 17:49:55.557 11241100x80000000000000001548668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275024_WINWORD.EXE_3548_4412_1681.dmp2021-04-21 17:49:55.557 11241100x80000000000000001548667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275024_WINWORD.EXE_3548_4412_1680.dmp2021-04-21 17:49:55.557 11241100x80000000000000001548666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275025_WINWORD.EXE_3548_4412_1679.dmp2021-04-21 17:49:55.557 11241100x80000000000000001548665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275025_WINWORD.EXE_3548_4412_1678.dmp2021-04-21 17:49:55.557 10341000x80000000000000001548664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-84C5-607D-E100-00000000BB01}32202520C:\Windows\system32\csrss.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001548663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-6344-6080-FE5D-00000000BB01}35484412C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3c98f|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d457|UNKNOWN(00000200BF36276A) 154100x80000000000000001548662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.566{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\dllhost.exeC:\Users\Administrator\Documents\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Administrator\Desktop\cs_doc1_rundll32.dotm" 11241100x80000000000000001548661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\amsi_tracer\-175275028_WINWORD.EXE_3548_4412_1677.dmp2021-04-21 17:49:55.557 13241300x80000000000000001548660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.557{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001548659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:55.557{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001548658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.557{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001548657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.206{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.206{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4347ECE4FFFA8C546C565087A3C42204,SHA256=D3C1471E4D80BDC1A49AF9B02A4C4E6C79586273641A6C18156F2C9CCE06C1B6falsefalse - insufficient disk space 11241100x80000000000000001548655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.205{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001548654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.205{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC857BE6D9474FFFB3BB824A3763F155,SHA256=37678E78803005D8C0664EF5D45C0CBCD364891F417DC60E69E46BFDA0A2238Cfalsefalse - insufficient disk space 10341000x80000000000000001067570Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:56.989{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067569Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:56.989{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067568Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:56.391{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA745637824FA394F45E10B99EDBDC86,SHA256=9EB466468ADD23D922BF1015CF0D207A081F5E4536524AC9A79E698B24A92983,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001550178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.591{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001550177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.591{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4347ECE4FFFA8C546C565087A3C42204,SHA256=D3C1471E4D80BDC1A49AF9B02A4C4E6C79586273641A6C18156F2C9CCE06C1B6falsefalse - insufficient disk space 354300x80000000000000001550176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:53.738{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65003-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001550175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.212{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.212{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F111BDD5650C3A0BE0E5DA7238251D,SHA256=BF1DA2FD36A2565A29506031225A3A3CC3FFCB0F8C43C4EE4D3E616ADC4AC372falsefalse - insufficient disk space 12241200x80000000000000001550173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001550172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000001550171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.127{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\dui70.dll10.0.14393.4169 (rs1_release.210107-1130)Windows DirectUI EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUI70.DLLMD5=E106B5F926250103ED5FCECAAF5F2B50,SHA256=B94CEDC430D22B2BA88BB1520EDF9362850494896F810DB0AC9E552E9BF8C031trueMicrosoft WindowsValid 12241200x80000000000000001550170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001550169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001550168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001550167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.190{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001550148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.174{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=7CAAFE27AECA4ED69CC960438C1B5757,SHA256=725B17A1DC08013337B50D4E0A6E332CC4C30F164383DF2ABBC735001C834F2CtrueMicrosoft WindowsValid 13241300x80000000000000001550147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:56.174{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001550146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:56.174{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 13241300x80000000000000001550145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:56.174{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001550144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.174{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000001550143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.174{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.174{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.174{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.174{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.174{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.174{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001550137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:56.174{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C034A\VirtualDesktopBinary Data 12241200x80000000000000001550136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.174{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C034A 10341000x80000000000000001550135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.174{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001550134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:56.158{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeHKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles\FirstLevelConsentDialogQWORD (0x00000000-0x001c034a) 12241200x80000000000000001550133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeHKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles 13241300x80000000000000001550132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:56.158{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles\FirstLevelConsentDialogQWORD (0x00000000-0x001c034a) 12241200x80000000000000001550131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles 12241200x80000000000000001550130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001550129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001550128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001550127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000001550126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.127{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\werui.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Error Reporting UI DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwerui.dllMD5=648905E84F3DF8C6A686BD73548ACDDD,SHA256=470A40456CB2D930B319B9FD938288A66A4CDA66C1DF170F393674CFD0D7660AtrueMicrosoft WindowsValid 12241200x80000000000000001550125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001550124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001550123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001550122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000001550104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.158{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.158{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.158{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.158{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000001550100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001550099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001550098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001550097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001550096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000001550095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\DbgModel.dll10.0.14321.1024 (debuggers(dbg).160906-1818)Windows Debugger Data ModelMicrosoft® Windows® Operating SystemMicrosoftDbgModel.DllMD5=55AAAA3C2A11EE0F48BFB10D222C4A7F,SHA256=E756925EC8A21F951325CA6B5F10BC393FEA8217282B11CA9529A953CCEE89A7trueMicrosoft WindowsValid 12241200x80000000000000001550094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001550093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001550092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001550091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.158{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001550072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.158{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\atlthunk.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)atlthunk.dllMicrosoft® Windows® Operating SystemMicrosoft Corporationatlthunk.dllMD5=A0424A3330CB582D9B8713C8B739FBE8,SHA256=F6CD2DD95233A3B3374F99FF817F5E9628402B25333E3E79FB41C2686740D8D4trueMicrosoft WindowsValid 734700x80000000000000001550071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.143{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=6B79A24E4A03FB84ED7AD3CDEE60882E,SHA256=21FDC6DA3E5F2D55238D1801725353A879D5D909456C03DBBD3A7401DDAC464AtrueMicrosoft WindowsValid 12241200x80000000000000001550070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001550069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.143{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValid 12241200x80000000000000001550068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001550067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.143{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\usp10.dll10.0.14393.3321 (rs1_release.191016-1811)Uniscribe Unicode script processorMicrosoft® Windows® Operating SystemMicrosoft CorporationUSP10.DLLMD5=BABC9A4B603F1B79B3184EF2E902EFBD,SHA256=119158E0116F78286FFA4AEE4924B53E98821AA48687132C26DE22D75ECBF200trueMicrosoft WindowsValid 734700x80000000000000001550066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\dbgeng.dll10.0.14321.1024 (rs1_release.190305-1856)Windows Symbolic Debugger EngineMicrosoft® Windows® Operating SystemMicrosoftDbgEng.DllMD5=E7B73634B272631F75020C9ECAEEB72F,SHA256=AB151D6AD97FCCD36C5326BAD72DCC2AD42449D5AFDE598AA9C1159C138B9744trueMicrosoft WindowsValid 12241200x80000000000000001550065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001550064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000001550063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.143{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\msls31.dll3.10.349.0Microsoft Line Services library fileMicrosoft® Line ServicesMicrosoft CorporationMSLS31.DLLMD5=B2911DEDDF06CA1AB66C810EB98AA503,SHA256=B8FAC47D96B3577104AA20C84E532024E4B8D7A7B222E715E7FBC368151E34D3trueMicrosoft WindowsValid 12241200x80000000000000001550062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001550061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001550060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001550059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x80000000000000001550050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.143{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\riched20.dll5.31.23.1231Rich Text Edit Control, v3.1Microsoft RichEdit Control, version 3.1Microsoft Corporationriched20.dllMD5=8B3765D5135A105F4AD1B2582717B493,SHA256=6F0F9BF748660D218D21183A0B25D93BF5B659EF88B4F47E009480B3A244661FtrueMicrosoft WindowsValid 12241200x80000000000000001550049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000001550040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.143{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\duser.dll10.0.14393.0 (rs1_release.160715-1616)Windows DirectUser EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationDUser.DLLMD5=4A6B9E1DD8DB4FF865318B8CA92CE8D1,SHA256=14C94E22015FEA86566876469B1ECB034BE9991D55CE2C20AB8EF86A1FB1A78CtrueMicrosoft WindowsValid 12241200x80000000000000001550039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.143{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001550038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.143{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=F715551044759B3E0D8310D982728D42,SHA256=24ED40B61F6EBA76BDFC858B0EB3FC49C8FEE9CF929CBD1DED3DB515A69FAAD4trueMicrosoft WindowsValid 10341000x80000000000000001550037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.143{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.143{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=4A773F12C91C86BEC51979E7C5858548,SHA256=FD21C32FE46607F058240D3B185CAA8E437F76625FEAD979B705E7BA3B53ED31trueMicrosoft WindowsValid 734700x80000000000000001550035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.143{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=F715551044759B3E0D8310D982728D42,SHA256=24ED40B61F6EBA76BDFC858B0EB3FC49C8FEE9CF929CBD1DED3DB515A69FAAD4trueMicrosoft WindowsValid 10341000x80000000000000001550034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.143{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.143{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=4A773F12C91C86BEC51979E7C5858548,SHA256=FD21C32FE46607F058240D3B185CAA8E437F76625FEAD979B705E7BA3B53ED31trueMicrosoft WindowsValid 734700x80000000000000001550032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.127{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=F715551044759B3E0D8310D982728D42,SHA256=24ED40B61F6EBA76BDFC858B0EB3FC49C8FEE9CF929CBD1DED3DB515A69FAAD4trueMicrosoft WindowsValid 10341000x80000000000000001550031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.127{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.127{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=4A773F12C91C86BEC51979E7C5858548,SHA256=FD21C32FE46607F058240D3B185CAA8E437F76625FEAD979B705E7BA3B53ED31trueMicrosoft WindowsValid 734700x80000000000000001550029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.127{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=F715551044759B3E0D8310D982728D42,SHA256=24ED40B61F6EBA76BDFC858B0EB3FC49C8FEE9CF929CBD1DED3DB515A69FAAD4trueMicrosoft WindowsValid 10341000x80000000000000001550028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.127{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.127{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=4A773F12C91C86BEC51979E7C5858548,SHA256=FD21C32FE46607F058240D3B185CAA8E437F76625FEAD979B705E7BA3B53ED31trueMicrosoft WindowsValid 734700x80000000000000001550026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.127{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValid 734700x80000000000000001550025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.127{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValid 10341000x80000000000000001550024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.111{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a3c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\wer.dll+3ef62(wow64)|C:\Windows\System32\wer.dll+3f333(wow64)|C:\Windows\System32\wer.dll+3fb69(wow64)|C:\Windows\System32\wer.dll+202eb(wow64)|C:\Windows\System32\wer.dll+14541(wow64)|C:\Windows\System32\faultrep.dll+fb1c(wow64)|C:\Windows\System32\faultrep.dll+d74c(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f 11241100x80000000000000001550023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.111{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\59d6c111-17c0-4788-936b-8af0b92060e72021-04-21 17:49:56.111 11241100x80000000000000001550022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.111{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\9d8fc961-c76d-4a0e-87db-c16a0c299f9c2021-04-21 17:49:56.111 11241100x80000000000000001550021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.111{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\ddad6027-62c1-42a5-80e4-8fd31e5807be2021-04-21 17:49:56.111 10341000x80000000000000001550020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.111{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\wer.dll+32eab(wow64)|C:\Windows\System32\wer.dll+24751(wow64)|C:\Windows\System32\wer.dll+145e9(wow64)|C:\Windows\System32\faultrep.dll+fa00(wow64)|C:\Windows\System32\faultrep.dll+d74c(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x80000000000000001550019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.111{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33fe2f(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33d738(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee5e9(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee664(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1ee6ed(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+28c8c5(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+29305d(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1e12f4(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+28c4f9(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cb18d(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cb022(wow64) 11241100x80000000000000001550018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.105{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.105{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826CEEC2A69D7290BFD2AD1C079907C9,SHA256=CADB8E9B79015345E0770BA642872F8757E2CE82F824F2D3D1CDFF9E27FF0A6Cfalsefalse - insufficient disk space 12241200x80000000000000001550016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001550015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001550014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001550013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001550012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000001550011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\ntmarta.dll10.0.14393.1378 (rs1_release.170620-2008)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=42413E3092F5AE88247827FE65C55601,SHA256=C5DD44F462B2C1AFED3C7FF9FD5102B9DE8434333679CB6C8FDFEB9217C69B07trueMicrosoft WindowsValid 12241200x80000000000000001550010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001550009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001550008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001549989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001549988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000001549987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\aepic.dll10.0.19645.1032 (WinBuild.160101.0800)Application Experience Program CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationaepic.dllMD5=D681E677EA3BF7C96E44E3E078B57157,SHA256=76578F80CE995467E1AC137F0B36A9E6AFAD67ED5C4CDD2126F409BF457E8A82trueMicrosoft WindowsValid 12241200x80000000000000001549986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001549985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001549984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001549983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.089{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001549964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 734700x80000000000000001549963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\dbgcore.dll10.0.14321.1024 (debuggers(dbg).160715-1616)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=F9E3229224FEC57A53F5B2A4B21942E0,SHA256=C008454B1C65436C4289918CD64A83FDE655E2682977C68F3B866A3BB947E244trueMicrosoft WindowsValid 12241200x80000000000000001549962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001549961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001549960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001549959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001549958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 10341000x80000000000000001549945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+3404d2(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+33c892(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+232f54(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+233565(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+239e56(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cf2f2(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cd856(wow64)|C:\Windows\SYSTEM32\dbgeng.dll+1cf434(wow64)|C:\Windows\System32\faultrep.dll+14a65(wow64)|C:\Windows\System32\faultrep.dll+e3db(wow64)|C:\Windows\System32\faultrep.dll+f895(wow64)|C:\Windows\System32\faultrep.dll+d74c(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64) 12241200x80000000000000001549944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001549938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValid 734700x80000000000000001549937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=12ED40D048D0F5F44D3877936A1B7E8B,SHA256=8E652B0663D0F0C6BFE7102329C9A84FB1E937273E51F8FF0FC3469350AF5C41trueMicrosoft WindowsValid 734700x80000000000000001549936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=6B79A24E4A03FB84ED7AD3CDEE60882E,SHA256=21FDC6DA3E5F2D55238D1801725353A879D5D909456C03DBBD3A7401DDAC464AtrueMicrosoft WindowsValid 12241200x80000000000000001549935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001549934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001549933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{c4bb84aa-1b13-d6ee-ef07-3451786e9523}\Root\InventoryApplicationFile\PermissionsCheckTestKey 12241200x80000000000000001549932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{c4bb84aa-1b13-d6ee-ef07-3451786e9523}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x80000000000000001549931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{c4bb84aa-1b13-d6ee-ef07-3451786e9523}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 12241200x80000000000000001549930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{c4bb84aa-1b13-d6ee-ef07-3451786e9523}\Root\InventoryApplicationFile 12241200x80000000000000001549929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{c4bb84aa-1b13-d6ee-ef07-3451786e9523}\Root 12241200x80000000000000001549928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001549927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001549926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001549925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000001549924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\Faultrep.dll10.0.14393.4046 (rs1_release.201028-1803)Windows User Mode Crash Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfaultrep.dllMD5=DF986454FA35F76D1A1A896DD06E8A82,SHA256=F6AEAFE468D20799BECDA4D721940B317E88C2695A80D8497D816B8C241B700DtrueMicrosoft WindowsValid 12241200x80000000000000001549923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001549922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 13241300x80000000000000001549918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecordBinary Data 12241200x80000000000000001549917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug 12241200x80000000000000001549916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000001549902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.074{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000001549901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.074{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9BDF804D95ED2662195199766EF883B8,SHA256=14160CD5AC9762F5592C98873D6CDC358C700B98E84A514EC02E96BE35C31802falsefalse - insufficient disk space 11241100x80000000000000001549900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.074{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000001549899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.074{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=83B554800A149999EB4D1C21EA6EC209,SHA256=9CFEACBD8953CEE4EB73589A4FFA926EBF5EEE7CAEA4CE57FD864B4D5EF77744falsefalse - insufficient disk space 10341000x80000000000000001549898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+26bd3(wow64)|C:\Windows\System32\faultrep.dll+19d06(wow64)|C:\Windows\System32\faultrep.dll+19eb5(wow64)|C:\Windows\System32\faultrep.dll+194bb(wow64)|C:\Windows\System32\faultrep.dll+f4b1(wow64)|C:\Windows\System32\faultrep.dll+d74c(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 12241200x80000000000000001549897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{c4bb84aa-1b13-d6ee-ef07-3451786e9523}\Root\InventoryApplicationFile\PermissionsCheckTestKey 12241200x80000000000000001549896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{c4bb84aa-1b13-d6ee-ef07-3451786e9523}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x80000000000000001549895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{c4bb84aa-1b13-d6ee-ef07-3451786e9523}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 12241200x80000000000000001549894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{c4bb84aa-1b13-d6ee-ef07-3451786e9523}\Root\InventoryApplicationFile 12241200x80000000000000001549893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{c4bb84aa-1b13-d6ee-ef07-3451786e9523}\Root 12241200x80000000000000001549892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001549891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{c4bb84aa-1b13-d6ee-ef07-3451786e9523}\Root\InventoryApplicationFile\PermissionsCheckTestKey 12241200x80000000000000001549890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{c4bb84aa-1b13-d6ee-ef07-3451786e9523}\Root\InventoryApplicationFile\PermissionsCheckTestKey 13241300x80000000000000001549889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{c4bb84aa-1b13-d6ee-ef07-3451786e9523}\Root\InventoryApplicationFile\WritePermissionsCheckDWORD (0x00000001) 12241200x80000000000000001549888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001549887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001549886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x80000000000000001549885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=529408E2C123D00D4CC2BEBCC8479566,SHA256=B8FE6F8E7B439EE4890F305AA008553CB68F6FEA7268262E6F1C3FD7F6FB90B8trueMicrosoft WindowsValid 12241200x80000000000000001549884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001549883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001549882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{c4bb84aa-1b13-d6ee-ef07-3451786e9523}\Root\InventoryApplicationFile 12241200x80000000000000001549878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe\REGISTRY\A\{c4bb84aa-1b13-d6ee-ef07-3451786e9523}\Root 12241200x80000000000000001549876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.058{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001549861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=D72267FB5D321279DE909DB118CDEEFE,SHA256=D8386DCF2ACF3D48A2C95CCF6C3A9505E1CA99FF803027D76068596A34210FAEtrueMicrosoft WindowsValid 734700x80000000000000001549860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValid 734700x80000000000000001549859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=4803B5E62FA1809BBED6F7E987942ACB,SHA256=D7D53A4FEB2016307A812A04964CEEC5E211A676A303B41EA16EAFD3AA7C3B72trueMicrosoft WindowsValid 734700x80000000000000001549858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValid 734700x80000000000000001549857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValid 734700x80000000000000001549856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1112AB17E3ABDFF5F20CB2F465A2E117,SHA256=C47039A4DF6C685317C6539F205A46350DB055342704F1957D1FB0A1278AC076trueMicrosoft WindowsValid 734700x80000000000000001549855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValid 734700x80000000000000001549854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=1A1F35AD47F8EB4BB2203E875C20EDFE,SHA256=21F3B5877315EC221A1F23EA4863A4E987DBFF63D6FCC97C8D59801356413A4BtrueMicrosoft WindowsValid 734700x80000000000000001549853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=2BDBEE1B42063F245AC86F54C236BC4E,SHA256=CD558E008DA76E171FC9B8CF87556353330D7B7BF593B5074E4FEB08BC14CFC6trueMicrosoft WindowsValid 734700x80000000000000001549852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValid 10341000x80000000000000001549851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a9a3c(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+12d7c(wow64)|C:\Windows\System32\faultrep.dll+d63f(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001549850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001549849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001549848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001549847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001549846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001549845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001549844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001549843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001549842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001549841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+1085d(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x80000000000000001549840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.058{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValid 10341000x80000000000000001549839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+26bd3(wow64)|C:\Windows\System32\faultrep.dll+113c0(wow64)|C:\Windows\System32\faultrep.dll+d23a(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001549838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10497(wow64)|C:\Windows\System32\faultrep.dll+d186(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001549837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+d124(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001549836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-83AE-607D-1600-00000000BB01}11086004C:\Windows\system32\svchost.exe{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001549835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001549834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValid 12241200x80000000000000001549833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001549832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001549831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001549830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001549829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001549828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001549827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000001549826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\wer.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=8E413051DCEE704261ECCB513D0BE8E1,SHA256=0FFE33CB1FF0C347C8522965F2AAD467F92DA6F7FFAD3AA1DF824C5BC5AFDB30trueMicrosoft WindowsValid 12241200x80000000000000001549825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000001549807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValid 734700x80000000000000001549806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=CDD32AC585A458B6B2BC777FACF83BA4,SHA256=6A6D1362633319BA3E2D389A70827D0B5802C5EA9DD5CA723AEA6DBF65713426trueMicrosoft WindowsValid 734700x80000000000000001549805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValid 734700x80000000000000001549804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValid 734700x80000000000000001549803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValid 10341000x80000000000000001549802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001549801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 11241100x80000000000000001549800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\2b0ab3c2-eb13-48f0-b05a-03ae83bb924e2021-04-21 17:49:56.042 734700x80000000000000001549799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=0D7153433B25ABA6DF86FBC7FA543CBF,SHA256=C8DF43428EC79BEB384B2B2561A3D8FF98040ABBC760C35F99E1FBE2D04170BFtrueMicrosoft WindowsValid 734700x80000000000000001549798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=33E4F8ECEA33AC2AAB8C336A0C11AAA7,SHA256=EE44DEE528EB91D80BB3DE79DBDD7E135A51FD6EF2AF360B6DB8A3CB0C297D1BtrueMicrosoft WindowsValid 12241200x80000000000000001549797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001549796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=5E8336C79BE0C2F1080B575E434DD0E4,SHA256=FB7EB70237B5897F875CE8786C26E09F61120DB4A91376A65433EEDCFA634A11trueMicrosoft WindowsValid 734700x80000000000000001549795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=FD246A07CED3BC52C91E4CE7F149B814,SHA256=643D290491BB7D0137CAD77B3DB612D69A6EC7AFE9C411D438C3CA1769F1EECCtrueMicrosoft WindowsValid 734700x80000000000000001549794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValid 734700x80000000000000001549793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=46729D62C2C59533BF7F18EC62EA1066,SHA256=F890DA6B91DCCEF82188724339EB4469B27AA19183938F4269C8DE3FEA6C12F0trueMicrosoft WindowsValid 734700x80000000000000001549792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValid 734700x80000000000000001549791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.2515 (rs1_release_1.180830-1044)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0A509BFB5A32121F89325D493794CA83,SHA256=CB89991C328399A0AD5A18C38DD69FA77922A7977D9F4E7193C59AC03AF614B2trueMicrosoft WindowsValid 734700x80000000000000001549790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=7B019DFD62509B244C4A11809F595C07,SHA256=2E879BBDC7C215041617FC599FCBA8C474F99E27B8333EA4DCA4854FE738F22DtrueMicrosoft WindowsValid 734700x80000000000000001549789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValid 734700x80000000000000001549788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=580643DD40890B231399EA5F57EFAA70,SHA256=0B374B1825ABFF7B26170E75F1B638DF08A15B07660A7DF5533F02853CF266C6trueMicrosoft WindowsValid 734700x80000000000000001549787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BE003247800053860D5C85D2BCEB0744,SHA256=D687D105741BDEB1BCEE18F3692AE688C52E85F1BBA745315FA2FB7F953DCE55trueMicrosoft WindowsValid 734700x80000000000000001549786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 734700x80000000000000001549785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=3394E4EEB4851D80DD7548EC87EAEA5F,SHA256=7F670ACCE58EAADE796FEF335B4EAEAB66DFC47875219B9BE3C9B405A452450BtrueMicrosoft WindowsValid 734700x80000000000000001549784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValid 12241200x80000000000000001549783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001549782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x80000000000000001549781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.027{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe10.0.14393.4046 (rs1_release.201028-1803)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeMD5=873FDC21DDF6CBD1D5396E15D9EEB070,SHA256=B18648B926F4F6F1721D033741E07D23148BB3EE435E579B34C2A2B4439476D0trueMicrosoft WindowsValid 12241200x80000000000000001549780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001549779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001549778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001549777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 10341000x80000000000000001549761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-84C5-607D-E100-00000000BB01}32203160C:\Windows\system32\csrss.exe{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 12241200x80000000000000001549760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.042{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000001549758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=E3B7B5531159A395AC63B7EA256FE7B6,SHA256=B631E93E271E706E0204B606D7851ADF7E65FCA04ACDD73103F0754A9C01007EtrueMicrosoft WindowsValid 734700x80000000000000001549757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000001549756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValid 734700x80000000000000001549755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001549754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001549753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=E0C87CF8838DB8C6DBD24A708FCED51B,SHA256=0616E630C7F8E116CE43390638C9CE99209556662C2BBDF5845F1CD03E1C6C4EtrueMicrosoft WindowsValid 734700x80000000000000001549752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001549751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValid 734700x80000000000000001549750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.042{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValid 734700x80000000000000001549749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.027{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=57015A39A73789DC7171F4F6B211AC32,SHA256=3ED6D5A7095A141DCF234926EE0274FDA627C2829607DCE0F7604B7C683067E9trueMicrosoft WindowsValid 12241200x80000000000000001549748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.027{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001549747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.027{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 10341000x80000000000000001549746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.027{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001549745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.027{21761711-65AF-6080-515E-00000000BB01}53563604C:\Windows\System32\svchost.exe{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|c:\windows\system32\faultrep.dll+5b5b|c:\windows\system32\faultrep.dll+61c1|c:\windows\system32\wersvc.dll+ae9c|c:\windows\system32\wersvc.dll+7843|c:\windows\system32\wersvc.dll+4a1f|c:\windows\system32\wersvc.dll+4688|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001549744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.040{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe10.0.14393.4046 (rs1_release.201028-1803)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1524C:\Windows\system32\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=873FDC21DDF6CBD1D5396E15D9EEB070,SHA256=B18648B926F4F6F1721D033741E07D23148BB3EE435E579B34C2A2B4439476D0{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe 11241100x80000000000000001549743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.027{21761711-65AF-6080-515E-00000000BB01}5356C:\Windows\System32\svchost.exeC:\ProgramData\Microsoft\Windows\WER\Temp\dbc86d43-7c05-41b9-a8a2-e7b7fed632a12021-04-21 17:49:56.027 10341000x80000000000000001549742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.027{21761711-65AF-6080-515E-00000000BB01}53563604C:\Windows\System32\svchost.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae19|c:\windows\system32\wersvc.dll+7843|c:\windows\system32\wersvc.dll+4a1f|c:\windows\system32\wersvc.dll+4688|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001549741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.027{21761711-65AF-6080-515E-00000000BB01}53563604C:\Windows\System32\svchost.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ac09|c:\windows\system32\wersvc.dll+7843|c:\windows\system32\wersvc.dll+4a1f|c:\windows\system32\wersvc.dll+4688|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001549740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.027{21761711-65AF-6080-515E-00000000BB01}53563604C:\Windows\System32\svchost.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+7a60|c:\windows\system32\wersvc.dll+76fc|c:\windows\system32\wersvc.dll+4a1f|c:\windows\system32\wersvc.dll+4688|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001549739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.027{21761711-65C3-6080-535E-00000000BB01}23404188C:\Windows\SysWOW64\dllhost.exe{21761711-65C4-6080-545E-00000000BB01}7796C:\Windows\SysWOW64\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ef6c(wow64)|C:\Windows\SYSTEM32\ntdll.dll+ece62(wow64)|C:\Windows\System32\KERNEL32.DLL+66cbc(wow64)|C:\Windows\System32\KERNEL32.DLL+66a86(wow64)|C:\Windows\System32\KERNEL32.DLL+3e649(wow64)|C:\Windows\System32\KERNELBASE.dll+15e95a(wow64)|C:\Windows\SYSTEM32\ntdll.dll+9d2fe(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x80000000000000001549738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.011{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\wininetlui.dll10.0.14393.447 (rs1_release_inmarket.161102-0100)Provides legacy UI for wininetMicrosoft® Windows® Operating SystemMicrosoft Corporationwininetlui.dllMD5=264529BBF1D0F2E468E21CE4BBE0FA77,SHA256=E63316A56AFCC5A24B2B999FCC5CD923394E24D525AEBC3C10B4A1DBBE25C88BtrueMicrosoft WindowsValid 734700x80000000000000001549737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.011{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ncryptsslp.dll10.0.14393.3541 (rs1_release_inmarket.200218-2047)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=8CFD633EE740B2693E96831A534E4577,SHA256=78CC7389CB132DE0B826A2C78F1F9A6170F6A5DBEEE997E6B83C206C79B17510trueMicrosoft WindowsValid 13241300x80000000000000001549736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:56.011{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001549735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:56.011{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001549734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:56.011{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001549733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:56.011{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 734700x80000000000000001549732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:56.011{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\gpapi.dll10.0.14393.3986 (rs1_release.201002-1707)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=A11EBF985384257D0E302247145A5F80,SHA256=8254D3505507F2942E0051B5B68098F4525B8B6DC560FABCDE77C4E59024B461trueMicrosoft WindowsValid 12241200x80000000000000001549731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.011{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs 12241200x80000000000000001549730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.011{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs 12241200x80000000000000001549729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.011{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates 12241200x80000000000000001549728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.011{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x80000000000000001549727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.011{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x80000000000000001549726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.011{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001549725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001549724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001549723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x80000000000000001549722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001549721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001549720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001549719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001549718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001549717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001549716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001549715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001549714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x80000000000000001549713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001549712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001549711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001549710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001549709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001549708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs 12241200x80000000000000001549707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs 12241200x80000000000000001549706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates 12241200x80000000000000001549705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x80000000000000001549704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x80000000000000001549703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001549702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.010{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001549701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001549700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001549699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001549698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001549697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001549696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001549695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001549694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001549693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001549692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001549691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001549690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001549689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001549688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001549687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001549686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001549685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x80000000000000001549684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000001549683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000001549682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x80000000000000001549681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x80000000000000001549680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.009{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000001549679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.008{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000001549678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.008{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x80000000000000001549677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.008{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs 12241200x80000000000000001549676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.008{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs 12241200x80000000000000001549675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.008{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates 12241200x80000000000000001549674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.008{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000001549673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.008{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000001549672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.008{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs 12241200x80000000000000001549671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.008{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs 12241200x80000000000000001549670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.008{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates 12241200x80000000000000001549669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.008{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x80000000000000001549668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.008{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs 12241200x80000000000000001549667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.008{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs 12241200x80000000000000001549666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.008{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates 12241200x80000000000000001549665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x80000000000000001549664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs 12241200x80000000000000001549663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs 12241200x80000000000000001549662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001549661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001549660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001549659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001549658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates 12241200x80000000000000001549657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001549656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x80000000000000001549655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x80000000000000001549651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs 12241200x80000000000000001549647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x80000000000000001549646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=FD246A07CED3BC52C91E4CE7F149B814,SHA256=643D290491BB7D0137CAD77B3DB612D69A6EC7AFE9C411D438C3CA1769F1EECCtrueMicrosoft WindowsValid 12241200x80000000000000001549645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs 12241200x80000000000000001549644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates 12241200x80000000000000001549642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x80000000000000001549640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.007{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x80000000000000001549635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001549630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001549629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001549628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001549626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001549625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.006{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001549611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001549610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001549609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001549607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs 12241200x80000000000000001549606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs 12241200x80000000000000001549605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates 12241200x80000000000000001549604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000001549603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000001549602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001549601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001549600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001549599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x80000000000000001549598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001549597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001549596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001549595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001549594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001549593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001549592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001549591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:56.005{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001549590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x80000000000000001549589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001549588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001549587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001549586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001549585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001549584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001549583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=EFD0BE8FD1FF4E6D9A2112549F00C298,SHA256=FBC2001A38F051603972763B0CBAE114671C68A5FFB99AB013A0E1055C430AB6trueMicrosoft WindowsValid 734700x80000000000000001549582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040CtrueMicrosoft WindowsValid 12241200x80000000000000001549581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:55.989{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001549580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=D204C988115DD69889E3C0172E92BCFF,SHA256=3F3ED7720F970CA1704BF5215C574ED9FF19778C57E2D484180DA2D8361B130DtrueMicrosoft WindowsValid 734700x80000000000000001549579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=CDA0441BE02BB525B159B3949D9DC67D,SHA256=4977F6560E6B355299CB160CBFA411E0EDA83558AE15E8E323CD5BA02351C6CAtrueMicrosoft WindowsValid 734700x80000000000000001549578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=A9005C06D4F367BF4B8C6FB9C4B42AE7,SHA256=0539649D648911F05F93B06C2A1F9827C9BDBED1928A932223DB12A3FFB83919trueMicrosoft WindowsValid 734700x80000000000000001549577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=0D7153433B25ABA6DF86FBC7FA543CBF,SHA256=C8DF43428EC79BEB384B2B2561A3D8FF98040ABBC760C35F99E1FBE2D04170BFtrueMicrosoft WindowsValid 734700x80000000000000001549576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.989{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=D9702DF4C37BE14869F2645CA77D0561,SHA256=056156B54F6468B454F324F20B3FB332F06B28120331BD86168BC2666385B339trueMicrosoft WindowsValid 10341000x80000000000000001067574Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:57.990{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067573Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:57.990{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067572Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:57.711{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=754B24AA9930D317CAC55F6C6042E49C,SHA256=67C86CFAC486000A426DFA6A82D1828B05F976BA30DDE6ECB88629532095DCAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067571Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:57.393{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE57894CCA9A9A83D9B153296D8592D,SHA256=8B63379545348CE6630901C4BF0F4D39C313116D1A8636B44E9C961251B769C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:55.544{21761711-65C3-6080-535E-00000000BB01}2340<unknown process>WIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local65004-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 13241300x80000000000000001550200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:57.430{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C034A\VirtualDesktopBinary Data 12241200x80000000000000001550199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:57.430{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C034A 13241300x80000000000000001550198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:57.377{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001550197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:57.377{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000001550196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.377{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000001550195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.377{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe 534500x80000000000000001550194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.377{21761711-65C4-6080-555E-00000000BB01}332C:\Windows\SysWOW64\WerFault.exe 10341000x80000000000000001550193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.377{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001550192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.377{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001550191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.377{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001550190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.377{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001550189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.377{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001550188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.377{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001550187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.377{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001550186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.377{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001550185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.377{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001550184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.377{21761711-65C4-6080-555E-00000000BB01}3325500C:\Windows\SysWOW64\WerFault.exe{21761711-65C3-6080-535E-00000000BB01}2340C:\Windows\SysWOW64\dllhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+10766(wow64)|C:\Windows\System32\faultrep.dll+10895(wow64)|C:\Windows\System32\faultrep.dll+c632(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 12241200x80000000000000001550183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:49:57.377{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C034A 10341000x80000000000000001550182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.377{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.377{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001550180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.045{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:57.045{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21AA4586E8DAF3D1115700F6928DB361,SHA256=0B15A395622B1A2D4AD19C899D46EAD23FED7C81026F3F4043E42BDDBC85BE32falsefalse - insufficient disk space 10341000x80000000000000001067577Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:58.990{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067576Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:58.990{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067575Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:58.420{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D793402FFB1F704E71E72CA043F8044,SHA256=0EC182705493DE2B5795B02CF9AF9B77018E54A928B70B3CA77950006E5B9022,IMPHASH=00000000000000000000000000000000falsetrue 254200x80000000000000001550246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.918{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\WINWORD\App_1619026758236918700_4C5C2542-D5C9-4327-9F3C-E3DB088ADCF2.log2021-04-21 17:39:18.2352021-04-21 17:39:18.235 11241100x80000000000000001550245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.918{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json2021-04-19 17:20:23.952 23542300x80000000000000001550244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.918{21761711-6344-6080-FE5D-00000000BB01}3548WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5=E7535DE8EE1BE5E7688A85EEFB39FFCD,SHA256=FC09B09EEB8A945EC71EBD641C7E330A37065444F9E33998DA2C69FAB2FB34B4falsefalse - insufficient disk space 13241300x80000000000000001550243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:58.918{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3548\0Binary Data 11241100x80000000000000001550242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.918{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json2021-04-19 17:20:23.952 23542300x80000000000000001550241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.918{21761711-6344-6080-FE5D-00000000BB01}3548WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5=6D84CEE6D5BB054054BE87D1056E8D95,SHA256=2A25607260860071A6C809F63DF347A83424DAA3386FCC0239024481460A2D1Efalsefalse - insufficient disk space 11241100x80000000000000001550240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.918{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json2021-04-19 17:20:23.952 23542300x80000000000000001550239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.918{21761711-6344-6080-FE5D-00000000BB01}3548WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5=536AD5104BF69553F6798611F34928AB,SHA256=FC9F0B5E89246B67178A66C1B6FDF68F07F24549D53592B098C1DDDAE63EA726falsefalse - insufficient disk space 11241100x80000000000000001550238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.917{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json2021-04-19 17:20:23.952 23542300x80000000000000001550237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.917{21761711-6344-6080-FE5D-00000000BB01}3548WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5=E7535DE8EE1BE5E7688A85EEFB39FFCD,SHA256=FC09B09EEB8A945EC71EBD641C7E330A37065444F9E33998DA2C69FAB2FB34B4falsefalse - insufficient disk space 11241100x80000000000000001550236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.916{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json2021-04-19 17:20:23.952 23542300x80000000000000001550235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.916{21761711-6344-6080-FE5D-00000000BB01}3548WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5=6CA4960355E4951C72AA5F6364E459D5,SHA256=88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3falsefalse - insufficient disk space 11241100x80000000000000001550234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.915{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json2021-04-19 17:20:23.952 23542300x80000000000000001550233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.915{21761711-6344-6080-FE5D-00000000BB01}3548WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5=E4E83F8123E9740B8AA3C3DFA77C1C04,SHA256=6034F27B0823B2A6A76FE296E851939FD05324D0AF9D55F249C79AF118B0EB31falsefalse - insufficient disk space 13241300x80000000000000001550232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:58.915{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3548\0Binary Data 13241300x80000000000000001550231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:58.765{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000F04B6\VirtualDesktopBinary Data 12241200x80000000000000001550230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:58.765{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000F04B6 13241300x80000000000000001550229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:58.734{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\VBA\7.1\Common\UIBinary Data 13241300x80000000000000001550228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:58.734{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\VBA\7.1\Common\Toolbars\Settings\Microsoft Visual BasicBinary Data 12241200x80000000000000001550227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:49:58.734{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000027047C 13241300x80000000000000001550226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:58.734{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\VBA\7.1\Common\DockBinary Data 12241200x80000000000000001550225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-21 17:49:58.734{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\VBA\Forms3\Controls\EnableActiveXControlMSWebBrowserArchiteturePersistenceIssue 12241200x80000000000000001550224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-21 17:49:58.734{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\VBA\Forms3\Controls\EnableActiveXControlArchitetureIndependent 23542300x80000000000000001550223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.734{21761711-6344-6080-FE5D-00000000BB01}3548WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{96F322F9-AD9E-4D5F-9350-A1BAE9A7AC20}.tmpMD5=5D4D94EE7E06BBB0AF9584119797B23A,SHA256=4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1falsefalse - insufficient disk space 23542300x80000000000000001550222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.734{21761711-6344-6080-FE5D-00000000BB01}3548WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotmMD5=E4342ACE2024EBA21FF241BC2CE8E8A6,SHA256=58B3B687800CD5BE09A515D4B18A767E20A3E83B705F5B81D744689F10C34116falsefalse - insufficient disk space 13241300x80000000000000001550221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:58.734{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3548\0Binary Data 12241200x80000000000000001550220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:49:58.734{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000F04B6 13241300x80000000000000001550219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:58.734{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3548\0Binary Data 10341000x80000000000000001550218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.696{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001550217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:58.696{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001550216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:58.696{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000001550215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.696{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001550214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:58.696{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001550213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:58.696{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001550212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.696{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001550211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:58.665{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3548\0Binary Data 13241300x80000000000000001550210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:58.665{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Word\Data\SettingsBinary Data 23542300x80000000000000001550209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.649{21761711-6344-6080-FE5D-00000000BB01}3548WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{FD9AA3E4-E136-43ED-8F6C-2D9EE558923F}.tmpMD5=5D4D94EE7E06BBB0AF9584119797B23A,SHA256=4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1falsefalse - insufficient disk space 23542300x80000000000000001550208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.649{21761711-6344-6080-FE5D-00000000BB01}3548WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\Desktop\~$_doc1_rundll32.dotmMD5=30C17885FB5CC928F81BA7AEAE562061,SHA256=98BC932BFB7B7C270714BF445FA29F461835BB77B8C1DC1B33ABBDC0DCBFE6F1falsefalse - insufficient disk space 23542300x80000000000000001550207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.649{21761711-6344-6080-FE5D-00000000BB01}3548WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9EF1942F-2E57-4FF6-928F-CEED3B59005D}.tmpMD5=5D4D94EE7E06BBB0AF9584119797B23A,SHA256=4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1falsefalse - insufficient disk space 13241300x80000000000000001550206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:58.618{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Toolbars\Settings\Microsoft WordBinary Data 11241100x80000000000000001550205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.413{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001550204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.413{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D8B1A1CF63DCE0420427FF8E29E9E05,SHA256=45680AAA6019C71DDA7778071827A21B2BC9E52571456200BDC8A845D111B397falsefalse - insufficient disk space 11241100x80000000000000001550203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.047{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.047{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3DA73BDCBD4708152330DB0E7890DFC,SHA256=2FCFBACEA5E8419DDB7244984505D2CEC3D1E703193309724D0602875271B029falsefalse - insufficient disk space 10341000x80000000000000001067582Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:59.991{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067581Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:59.991{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067580Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:54.784{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32517-false10.0.1.12-8000- 23542300x80000000000000001067579Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:59.425{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49EECE15BC0BFA6C1E80CBC5CC53C1B,SHA256=747A78F4464FFE0F3B9F7C97F749FC88CEE5BCFE27951291FFD73C991AE4398C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001550259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:59.968{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001550258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:59.968{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0326FEB1E7129D67E1D4D76FFACAE78,SHA256=5278CEB058A6A9041B920164CE708D35CE5D303F141C36E6A6ECF06A4240F6F9falsefalse - insufficient disk space 534500x80000000000000001550257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:59.366{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 734700x80000000000000001550256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:59.366{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 23542300x80000000000000001550255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:59.366{21761711-6344-6080-FE5D-00000000BB01}3548WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{C2A13870-6D8C-44C0-8233-4C34888ACBEC}.tmpMD5=A483A94A06DE856202EC4E5189BDD7DC,SHA256=2E73F8DDD05C8DE65BB8C815594E0F0951FF294FF72C07627B08623FE7F237A4falsefalse - insufficient disk space 12241200x80000000000000001550254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:49:59.351{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3548 12241200x80000000000000001550253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-21 17:49:59.351{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3548\0 13241300x80000000000000001550252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:49:59.351{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\3548\0Binary Data 12241200x80000000000000001550251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:49:59.351{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\3548 23542300x80000000000000001550250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:59.351{21761711-6344-6080-FE5D-00000000BB01}3548WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5=B0B38AA38F77D2735925137936910A81,SHA256=35A81456F74BD3D8270B30C0A7A262A32EC0016A00EED8D766C8D7290D168729falsefalse - insufficient disk space 23542300x80000000000000001550249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:59.351{21761711-6344-6080-FE5D-00000000BB01}3548WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shmMD5=F215BC453D7DBE683CC1C2307C9688A4,SHA256=0442F24F80ACA41C1864CDEDB2BBDE755D62CF94696B0168F2234235F8480513falsefalse - insufficient disk space 11241100x80000000000000001550248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:59.114{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:59.113{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FFC1738DC41A22ACA72A7974253990,SHA256=46CB2FB1B7269706CDB0395F384AAA4531979DB9EE5AAEC84AF014F58E32D5F4falsefalse - insufficient disk space 23542300x80000000000000001067578Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:59.121{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E7EE14CA680ABDF2B0EAC88627F8377,SHA256=18C4544964D69A76C8A18A47C13D755CEA954B6C9C9EFD65ED9B3BA6EE237606,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067585Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:00.992{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067584Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:00.992{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067583Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:00.432{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE037FDC0B195866838EE065A9001C87,SHA256=655575ED50BA2FE0D3AF9328E2AFA310ED72CEDF53F226989EC08F81742525BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.573{21761711-6344-6080-FE5D-00000000BB01}3548C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local65005-false52.114.132.11-443https 11241100x80000000000000001550261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:00.153{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:00.153{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD947250F638A4EA656A6F6F7EE3BDD,SHA256=8A78CA8A0D94E9436489936597C284CB0EC2AF797F0FC2DDB3CC59E99BDCC499falsefalse - insufficient disk space 10341000x80000000000000001067588Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:01.993{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067587Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:01.993{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067586Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:01.435{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBC18A55E3A552FE9F8A500045F46D6,SHA256=B256366B0D5EBC55BC011495D27CE73D34BA03DA4FEB402BD00BB0387BCC78E3,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001550812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.957{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000001550811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.957{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{E202377D-3778-4B5E-B49E-3F4071C88CC5}\RecentItems\{A6C07705-C20A-4F4D-98CF-93AEB4DBAFBC}\PointsBinary Data 13241300x80000000000000001550810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.957{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{E202377D-3778-4B5E-B49E-3F4071C88CC5}\RecentItems\{A6C07705-C20A-4F4D-98CF-93AEB4DBAFBC}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000001550809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.957{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{E202377D-3778-4B5E-B49E-3F4071C88CC5}\RecentItems\{A6C07705-C20A-4F4D-98CF-93AEB4DBAFBC}\TypeDWORD (0x00000000) 12241200x80000000000000001550808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.957{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{E202377D-3778-4B5E-B49E-3F4071C88CC5}\RecentItems 13241300x80000000000000001550807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.941{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d736d6-0xc0fcda6f) 12241200x80000000000000001550806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.941{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 12241200x80000000000000001550805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.941{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 734700x80000000000000001550804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\usp10.dll10.0.14393.3321 (rs1_release.191016-1811)Uniscribe Unicode script processorMicrosoft® Windows® Operating SystemMicrosoft CorporationUSP10.DLLMD5=ACF31D492FD578C0374EB20CC393BE98,SHA256=D49ECA60A94B30DB87CDCEB36F284D273E080E8689E4B0F99D5BD44FFD117A92trueMicrosoft WindowsValid 10341000x80000000000000001550803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001550800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001550796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001550795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\cs_doc1_rundll32.dotm.LNK2021-04-21 16:13:28.077 23542300x80000000000000001550794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}3348WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\cs_doc1_rundll32.dotm.LNKMD5=D329CC559DE17C413A01FD3BD7DFE94A,SHA256=3488BE129777BBB545DDC88D22D4525ABFED60923E20D03D6692C62D992F3623falsefalse - insufficient disk space 10341000x80000000000000001550793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001550790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001550786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+171086|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001550783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.941{21761711-65C9-6080-565E-00000000BB01}33484176C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001550782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.925{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\cs_doc1_rundll32.dotm.LNK2021-04-21 16:13:28.077 734700x80000000000000001550781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.925{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14trueMicrosoft WindowsValid 18141800x80000000000000001550780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:01.925{21761711-65C9-6080-565E-00000000BB01}3348\srvsvcC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 734700x80000000000000001550779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.925{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x80000000000000001550778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.925{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=E996A5D4EA7754FF1B0411F0B1664603,SHA256=B2DA0AC549C551A2CAF0714EF3B344C33943292FB1FA9F2EEFA706B6FF18F1A2trueMicrosoft WindowsValid 734700x80000000000000001550777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.925{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=4CE9B67A187310E37E535FC4165E0933,SHA256=469B33A5DDAA93D28F66AE6D6956268F6F2F09F146734D00A931FBDD1D87DE42trueMicrosoft WindowsValid 10341000x80000000000000001550776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.925{21761711-84C9-607D-F200-00000000BB01}3784216C:\Windows\Explorer.EXE{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\windows.storage.dll+3c6d1e|C:\Windows\System32\windows.storage.dll+3c8d0e|C:\Windows\System32\windows.storage.dll+13c3e3|C:\Windows\System32\windows.storage.dll+13bdd9|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.925{21761711-84C9-607D-F200-00000000BB01}3784216C:\Windows\Explorer.EXE{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3c9e7e|C:\Windows\System32\windows.storage.dll+3c5b4f|C:\Windows\System32\windows.storage.dll+3c6c90|C:\Windows\System32\windows.storage.dll+3c8d0e|C:\Windows\System32\windows.storage.dll+13c3e3|C:\Windows\System32\windows.storage.dll+13bdd9|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000001550774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.925{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 13241300x80000000000000001550773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.925{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm\OpenWithList\MRULista 12241200x80000000000000001550772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.925{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm\OpenWithList 10341000x80000000000000001550771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.925{21761711-65C9-6080-565E-00000000BB01}33486760C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c73e8|C:\Windows\System32\windows.storage.dll+3cb9df|C:\Windows\System32\windows.storage.dll+3cbf38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175294|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175179|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.925{21761711-65C9-6080-565E-00000000BB01}33486760C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c73cc|C:\Windows\System32\windows.storage.dll+3cb9df|C:\Windows\System32\windows.storage.dll+3cbf38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175294|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175179|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.925{21761711-65C9-6080-565E-00000000BB01}33486760C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c73cc|C:\Windows\System32\windows.storage.dll+3cb9df|C:\Windows\System32\windows.storage.dll+3cbf38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175294|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175179|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000001550768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.925{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\Common 12241200x80000000000000001550767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-21 17:50:01.925{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\,1q 23542300x80000000000000001550766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.925{21761711-65C9-6080-565E-00000000BB01}3348WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\cs_doc1_rundll32.dotm.LNKMD5=DB4871DA46E60DD81DD2833365E5B314,SHA256=26059D2B74D3BE0A8D92924A871B186437FCDE56EFC6EDC389C7D61E36B37497falsefalse - insufficient disk space 11241100x80000000000000001550765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.925{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{4ECC9FC5-CBED-4182-9AE9-8FE8A27EDD92}.tmp2021-04-21 17:50:01.925 734700x80000000000000001550764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.925{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885trueMicrosoft WindowsValid 11241100x80000000000000001550763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.920{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\Desktop\~$_doc1_rundll32.dotm2021-04-21 16:13:28.056 13241300x80000000000000001550762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.903{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\,1qBinary Data 734700x80000000000000001550761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.903{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECBtrueMicrosoft WindowsValid 734700x80000000000000001550760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.888{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001550759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.888{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppobjs.dll10.0.14393.4350 (rs1_release.210407-2154)Software Protection Platform PluginsMicrosoft® Windows® Operating SystemMicrosoft Corporationsppobjs.dllMD5=08D22BC06420E0B4389F946ABDC798AE,SHA256=54455722DFE424293D6F1FBCA3DAC91127C77EAF26421C51C9D54009F4F9EE55trueMicrosoft WindowsValid 734700x80000000000000001550758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.872{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\twinapi.dll10.0.14393.4169 (rs1_release.210107-1130)twinapiMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.dllMD5=40E4471EAFBC1AB4D40288BF005AB895,SHA256=E93454095918346B3426D55704F02DF6FBB1B840BF969CE619E3F10BA0AC9A44trueMicrosoft WindowsValid 13241300x80000000000000001550757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.872{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001550756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.872{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 734700x80000000000000001550755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.872{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\dsrole.dll10.0.14393.0 (rs1_release.160715-1616)DS Setup Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationDSROLE.DLLMD5=2A319EC8DF0FB5C46CF311B9D2B65B1D,SHA256=62B8900EFDF4B30E54E11232A8DA95DBF066DAEFD364A66EB99ADC028A3798F7trueMicrosoft WindowsValid 734700x80000000000000001550754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.872{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\Clipc.dll10.0.14393.0 (rs1_release.160715-1616)Client Licensing Platform ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationClipC.dllMD5=C1ADE6C578AFD608EBC63BEB0F85ABD7,SHA256=7195914FD6FF035601607636E8EEFC58074852FD9983DB4A7E9DFEAEFA3D8382trueMicrosoft WindowsValid 734700x80000000000000001550753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.872{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppwinob.dll10.0.14393.3115 (rs1_release_1.190708-1703)Software Protection Platform Windows PluginMicrosoft® Windows® Operating SystemMicrosoft Corporationsppwinob.dllMD5=012E1DA3DB7B8D5128E9DD440573E549,SHA256=6D87AC8C462BEA922F39C75AF8A9458D1FCC5DB1BBC22931AE233EBB2235C35DtrueMicrosoft WindowsValid 12241200x80000000000000001550752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-21 17:50:01.872{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\/0q 11241100x80000000000000001550751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.857{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{347A3A16-2659-4988-B61C-C2F5CEC54D2E}.tmp2021-04-21 17:50:01.857 734700x80000000000000001550750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.857{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msxml6.dll6.30.14393.4350MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=C5045923028C8BE9DC37AD629100F907,SHA256=4909F1718D20D5CF38DADC30750023DE074E8FE4BA1D7E17AA0F1A2D5DF5745FtrueMicrosoft WindowsValid 13241300x80000000000000001550749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.857{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001550748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.857{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001550747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.857{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001550746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.857{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001550745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.857{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001550744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.857{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 734700x80000000000000001550743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.857{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ncryptsslp.dll10.0.14393.3541 (rs1_release_inmarket.200218-2047)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=E1BDF589E27B64D6637852872F4BA1D0,SHA256=C79B6A4AD264169C5B6F177083FD17C26832CD6A838DB697C7BC3C533A162733trueMicrosoft WindowsValid 734700x80000000000000001550742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.857{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 734700x80000000000000001550741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.857{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\System\msvcr100.dll10.00.40219.1Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2010Microsoft Corporationmsvcr100_clr0400.dllMD5=DF3CA8D16BDED6A54977B30E66864D33,SHA256=1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36trueMicrosoft CorporationValid 734700x80000000000000001550740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.841{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=9B2DCFE11EEBDDC18A8F5964E04E64A0,SHA256=5CBC5B45B9EB5B4EF1360005CD675D20D7EE9FE588DA24543FF7C9ACB88317FFtrueMicrosoft WindowsValid 734700x80000000000000001550739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.825{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBE7.DLL7.01.1106Visual Basic Design Time EnvironmentVisual Basic EnvironmentMicrosoft Corporation-MD5=0890BD3163852EDB987433AB40631B2B,SHA256=99E6A1505418EA2B1AD84DE8E49D72DA4BD29822EAB088B6CB3ADBBF5EA6532BtrueMicrosoft CorporationValid 13241300x80000000000000001550738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.788{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F00000000100000000F01FEC\Usage\VBAFilesDWORD (0x52950036) 13241300x80000000000000001550737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.788{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F00000000100000000F01FEC\Usage\VBAFilesDWORD (0x52950035) 11241100x80000000000000001550736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.788{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{C690E55C-3200-4E0D-8E4A-2DA4B6496C42}.tmp2021-04-21 17:50:01.788 734700x80000000000000001550735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.788{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 11241100x80000000000000001550734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.788{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.788{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12574A908AD2AD13B9F91E523BC51963,SHA256=A51A9D0913F3D5AAC23051568D50F8020B97F0D99294AC21B30D7F7D5AF700E7falsefalse - insufficient disk space 11241100x80000000000000001550732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.788{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotm2021-04-21 16:13:21.167 734700x80000000000000001550731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.772{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x80000000000000001550730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.772{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000001550729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.772{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11trueMicrosoft WindowsValid 734700x80000000000000001550728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.772{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmiclnt.dll10.0.14393.0 (rs1_release.160715-1616)WMI Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiclnt.dllMD5=6B61852EDC8F0EB9E555CF5308A1CA67,SHA256=73CBABE06D58CF771AC647C0DE916BD668FEC96A40EDF7283D50C1C7DE07FE08trueMicrosoft WindowsValid 734700x80000000000000001550727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.772{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmi.dll10.0.14393.0 (rs1_release.160715-1616)WMI DC and DP functionalityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmi.DLLMD5=BECC01CF48016043B5DC3D5477CC08CF,SHA256=449E882DBCD4DD25B8F10CD62623DCB15E5B6375B0699463506EA55886B7B9DAtrueMicrosoft WindowsValid 10341000x80000000000000001550726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.772{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.772{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000001550724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.772{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x80000000000000001550723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.772{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 734700x80000000000000001550722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.772{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001550721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.772{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2trueMicrosoft WindowsValid 734700x80000000000000001550720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.772{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000001550719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.772{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\cimwin32.dll10.0.14393.3297 (rs1_release_1.191001-1045)WMI Win32 ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcimwin32.dllMD5=35C291C2351E11C928195BFD018A972C,SHA256=CC1655A2CD71118C0197A1A96D47E86C74F58AA6D589B55F77D8C1C12C542BA7trueMicrosoft WindowsValid 12241200x80000000000000001550718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.772{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\system32\wbem\wmiprvse.exeHKCR 734700x80000000000000001550717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.772{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 13241300x80000000000000001550716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.772{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\/0qBinary Data 10341000x80000000000000001550715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.772{21761711-83AE-607D-1600-00000000BB01}11083264C:\Windows\system32\svchost.exe{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x80000000000000001550713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x80000000000000001550712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001550711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 12241200x80000000000000001550710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.756{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\system32\sppsvc.exeHKLM\SYSTEM\WPA 734700x80000000000000001550709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 13241300x80000000000000001550708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.756{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\system32\sppsvc.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ServiceSessionIdBinary Data 734700x80000000000000001550707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x80000000000000001550706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 10341000x80000000000000001550705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 11241100x80000000000000001550703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000001550702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7DF096EADAD499A39D737BBABDA0695A,SHA256=492A26B53CBB2E8B2CDA3E4E8C991E0D468905231883CBC11A1671C5E849AAF2falsefalse - insufficient disk space 734700x80000000000000001550701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 11241100x80000000000000001550700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 734700x80000000000000001550699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 23542300x80000000000000001550698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9BDF804D95ED2662195199766EF883B8,SHA256=14160CD5AC9762F5592C98873D6CDC358C700B98E84A514EC02E96BE35C31802falsefalse - insufficient disk space 734700x80000000000000001550697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001550696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001550695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 11241100x80000000000000001550694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 734700x80000000000000001550693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 23542300x80000000000000001550692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43932D319E28476E315621BA4792FBE1,SHA256=9AFEAC3BBE6E60134D363B947558E410E9C54B2036042ED97C8C66E7A165C6BFfalsefalse - insufficient disk space 734700x80000000000000001550691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 12241200x80000000000000001550690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem 12241200x80000000000000001550689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000001550688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE 12241200x80000000000000001550687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem 12241200x80000000000000001550686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft 12241200x80000000000000001550685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.756{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE 10341000x80000000000000001550684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.756{21761711-83AD-607D-0A00-00000000BB01}6206136C:\Windows\system32\services.exe{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 10341000x80000000000000001550682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-83AE-607D-1000-00000000BB01}9601492C:\Windows\system32\svchost.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 10341000x80000000000000001550680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001550678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001550677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001550676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000001550675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-83AE-607D-1000-00000000BB01}9601492C:\Windows\system32\svchost.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001550673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4283 (rs1_release.210303-1802)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=EF7A4C64E4A6F52AEAF20828033ADFF8,SHA256=7108BBAE5B91ED6784BD32547F7BD9DEAD392E47ACAB29DC057AEF7CFB746F3CtrueMicrosoft WindowsValid 734700x80000000000000001550672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ncobjapi.dll10.0.14393.0 (rs1_release.160715-1616)-Microsoft® Windows® Operating SystemMicrosoft CorporationNCObjAPI.DLLMD5=EA51AB4DE69030FC62B5014175D27A88,SHA256=774A8136F6FC789952548DA2A72F2E53E32A33E91C48EA707C1D823058515DABtrueMicrosoft WindowsValid 734700x80000000000000001550671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 734700x80000000000000001550670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x80000000000000001550669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001550668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000001550667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-83AE-607D-1000-00000000BB01}9601492C:\Windows\system32\svchost.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001550665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001550664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001550663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2trueMicrosoft WindowsValid 10341000x80000000000000001550662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.722{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{21761711-83AD-607D-E403-000000000000}0x3e40SystemMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2{21761711-83AD-607D-0C00-00000000BB01}724C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 734700x80000000000000001550659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001550658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001550657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001550656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001550655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001550654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000001550653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001550652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001550651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8trueMicrosoft WindowsValid 734700x80000000000000001550650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001550649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001550648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001550647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001550646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 734700x80000000000000001550645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001550644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 734700x80000000000000001550643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001550642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptxml.dll10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)XML DigSig APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptxml.dllMD5=2D8B5120841F9D57D81B417B8033051F,SHA256=10896E3FBB656A1FD76CB636510A8501B12068C653BC27FAA4DD8DC89ED7AE4AtrueMicrosoft WindowsValid 734700x80000000000000001550641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000001550640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001550639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001550638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001550637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001550636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001550635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.741{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000001550634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.725{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001550633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.725{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\webio.dll10.0.14393.3866 (rs1_release.200805-1327)Web Transfer Protocols APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwebio.dllMD5=0CE65DF03820B5523EFE7D20258E6F0A,SHA256=9224732E1A7761866BB479C91A02C561F77B203EB20914F4ED0AF8FE320E8FF6trueMicrosoft WindowsValid 734700x80000000000000001550632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.725{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 10341000x80000000000000001550631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.725{21761711-83AD-607D-0C00-00000000BB01}7246120C:\Windows\system32\svchost.exe{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001550630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.725{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 13241300x80000000000000001550629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.725{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 734700x80000000000000001550628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.725{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001550627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.725{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppsvc.exe10.0.14393.4104 (rs1_release.201202-1742)Microsoft Software Protection Platform ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationsppsvc.exeMD5=CE92D4BEC4DCB1921757E4F2FC121837,SHA256=2ED9F59A4EB534F51C6182FF5E40D9C03A6D4D2454E53F787E79CC8FADA209C7trueMicrosoft WindowsValid 10341000x80000000000000001550626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.725{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.725{21761711-83AD-607D-0A00-00000000BB01}6202564C:\Windows\system32\services.exe{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.721{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exe10.0.14393.4104 (rs1_release.201202-1742)Microsoft Software Protection Platform ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationsppsvc.exeC:\Windows\system32\sppsvc.exeC:\WindowsNT AUTHORITY\NETWORK SERVICE{21761711-83AD-607D-E403-000000000000}0x3e40SystemMD5=CE92D4BEC4DCB1921757E4F2FC121837,SHA256=2ED9F59A4EB534F51C6182FF5E40D9C03A6D4D2454E53F787E79CC8FADA209C7{21761711-83AD-607D-0A00-00000000BB01}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001550623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.725{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.725{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.725{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wininet.dll11.00.14393.4283 (rs1_release.210303-1802)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=15916ED65A44D47842A1CC3CE3CF4883,SHA256=7F00B84CE68E843425323FA7F60E49F4011A9A8AB42948E6CEB9B3A204268C53trueMicrosoft WindowsValid 13241300x80000000000000001550620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.725{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000001550619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.725{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x80000000000000001550618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.725{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000001550617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.725{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x80000000000000001550616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.725{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x80000000000000001550615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.725{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x80000000000000001550614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.725{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000001550613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.725{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754DtrueMicrosoft WindowsValid 734700x80000000000000001550612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.725{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\urlmon.dll11.00.14393.4225 (rs1_release.210127-1811)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=37266F6D0E2F86FD3FC6E4724ED49823,SHA256=8AD484F4A7964D2D87047771BB21D3211F204F87D4EB029C1EFAA4FD935333B1trueMicrosoft WindowsValid 734700x80000000000000001550611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.724{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAEtrueMicrosoft WindowsValid 734700x80000000000000001550610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.723{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375trueMicrosoft WindowsValid 734700x80000000000000001550609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.722{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000001550608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.722{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 10341000x80000000000000001550607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.721{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.721{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.721{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.720{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x80000000000000001550603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.720{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000001550602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.720{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000001550601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.720{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000001550600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.720{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000001550599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.720{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 734700x80000000000000001550598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.719{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x80000000000000001550597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22trueMicrosoft WindowsValid 12241200x80000000000000001550596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.703{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000001550595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.703{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000001550594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.703{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000001550593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.703{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 12241200x80000000000000001550592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.703{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 10341000x80000000000000001550591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.703{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.703{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001550589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\SessionIdBinary Data 10341000x80000000000000001550588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.703{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-83AD-607D-0A00-00000000BB01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\normaliz.dll10.0.14393.0 (rs1_release.160715-1616)Unicode Normalization DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnormaliz.dllMD5=65930A2C537774A8CBB0A1BE20266D51,SHA256=2879DECC03521C385C5D29381B002E7B70BB448BC2787D9C08174592C7D80BC8trueMicrosoft WindowsValid 734700x80000000000000001550586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7EtrueMicrosoft WindowsValid 13241300x80000000000000001550585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\LastFetchDetailDWORD (0x0000001c) 734700x80000000000000001550584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x80000000000000001550583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x80000000000000001550582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSPTLS.DLL16.0.13127.20164Microsoft Office componentMicrosoft OfficeMicrosoft Corporationmsptls.dllMD5=1BAB8E8FA116706ECB69AEAEA58277CB,SHA256=C7F3FE053C22DB4CE9F35B15F21A128DAEAED296B75D40B68D1F60E341F81E9EtrueMicrosoft CorporationValid 11241100x80000000000000001550581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.703{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.703{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15146EAAB647E6281CE4AD390D49A9D,SHA256=821EF986FB728E4D40DB0DCBAD6EDD511C30E39D6231B8A112B16AC7EF609583falsefalse - insufficient disk space 13241300x80000000000000001550579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSAllCategories6,10 13241300x80000000000000001550578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSCategoriesSeverities2086 15,827 15,1001 15,2159 10,1000 15,999 15,226 15,1282 50,1338 10,1338 50,1282 10,831 15,1338 15,1282 15,1128 15,2087 15,850 15,1039 15,998 15,828 15,829 15,2088 15,1255 15,830 15,974 15,1249 15,670 15,2159 6,671 15,1002 15,669 15,291 15,1249 10,70 50,1584 50 13241300x80000000000000001550577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds119200081,25036313,19200082,19200084,36577664,24498245,19200085,20312798,36274758,38929627,36274766,36274759,36274767,25228040,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,20833951,40920534,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,50890144,20039441,50890201,40921313,40921312,51680200,19952736,577828117,36487509,577828115,36487503,19200142,19200146,19685471,24404955,24404956,24498243,25036314,38040274,595939597,22382368,25183950 13241300x80000000000000001550576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds08758344,34968335,17134338,19200086,40920709,20039442,18409363,21378256,19972417,19677900,24131419,51655840,17634580,18658649,18375312,23979203,18658648,17698823,17183040,19677907,34968340,18948503,18658650,17650967,21378211,18637650,18674530,9319450,17126295,18948102,21313610,18409416,18948101,36517339,17634578,18400089,36761792,21030802,21378249,20979747,34968342,34968338,50890251,34968337,34968339,24470607,8448079,6366290,38013077,34968341,7690258,34968589,36274763,17182941,24406167,20027008,17182979,20027009,9176926,23205313,7690254,5850584,8263521,17622912,51655839,18208657,5850305,51679313,18405130,51679314,5850582,20770843,8750241,22623970,6170083,23459486,16859363,19182148,17182980,8988293,19933261,5850463,17064074,18400091,19539223,6166345,17334863,38062236,17182943,17182942,6636694,17182981,41976736,5850306,5850583,21378252,7218753,8430030,37048725,25183952,5850062,18384724,17922253,21378246,19182146,6636695,18948499,17182982,21313503,17650969,5850061,21313506,17146274,7692557,18400093,19200088,17650968,19790027,5850307,51196381,17650970,38040275,17650971,19182147,8254547,19182149,18208715,36487501,17698821,18405138,41736099,6137435,19200087,25036311,5850122,24466059,18970753,17698822,8988294,37365058,17846753,17698820,17846730,17106064,17846750,19805648,18400076,17885409,19261452,36507861,135022598,19261450,25036315,21014468,6366030,20998161,20998160,4859234,20998163,36283595,24498246,20998158,34198423,6301592,20730712,41484365,20998159,36517340,6366028,6366025,6366039,50405897,21014467,18405147,18400095,19200078,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,18401416,38293842,9242009,21313504,17102418,21313536,21313507,17376418,21378210,21378243,21378247,21378240,21378248,21378241,21378253,36274765,38293833,36577635,24470550,21378254,18633497,40921221,21378255,7116053,21378245,21561487,17610659,593797656,8750274,7214607,38040271,593797655,17339214,20489431,21587081,21587082,5850824,7997533,5850753,5898849,5898880,5898881,5898884,5898847,22929427,20312797,5898851,8701660,25183951,5898845,18917267,18970755,18917328,36487495,18917326,18949600,19230863,40920589,25228039,18917268,18917269,18970761,36292435,18917271,34198662,20492502,18917330,18949601,22595279,22131171,18711811,573899343,22131207,22131169,22131208,25183953,22853699,19805646,22853700,18948169,17110992,22929425,5587867,23414153,24466061,17962391,19933262,22853712,5850525,24991179,24991180,41158543,51196379,51196380,8263520,17934346,17393553,19207815,18647260,19137989,18970759,24993875,18638031,21313609,21313611,6647824,25036310,17573643,7868952,7463105,7690253,19200035,38293841,17106059,17106060,19200065,17106065,17106063,18400083,36487504,17962113,19744898,40920708,18948501,17184070,24511183,18474530,18625879,18982487,16860185,20547351,20248016,38040268,24651927,18375313,19252294,20547294,7922270,5804129,36274764,36487516,20312793,7202269,23979201,23978014,18679566,17045407,19693829,17184025,36274762,594650054,18400081,8709078,17184068,595174594,18208705,37308099,17334865,17618826,18400075,36487496,18400087,18405132,18405134,19200083,18405136,18405140,18405142,40921218,18405144,36577665,22058587,22074074,8709086,23643035,20484631,18970757,18970763,39965824,577828114,593359442,5601366,17110988,5601367,17962392,18441314,36274757,4289286,26019932,19693830,4317338,19437717,21030738,36274761,22349186,21034758,36495773,37889366,37332947,4859233,17969938,17445650,18208656,18208672,25036312,18208658,17445651,8709120,8709129,8750272,8709089,18621250,50890327,36487497,8709081,16920930,20789191,17134337,589685770,8750242,19200080,50890328,16843347,7214608,18428691,19978123,18647262,577828116,19978122,20026645,18384725,7459348,36487502,18384801,36487498,19744899,36487512,7690256,19732354,5888003,19732353,23979200,18384802,18633496,23729926,18647259,18647261,20026646,17045408,8430031,8254544,51675359,17425365,8747207,17425358,19543137,19543138,19252293,23729931,22070208,592446983,40921166,589685772,8758345,19200034,19200075,19200064,19200076,19200077 12241200x80000000000000001550575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 13241300x80000000000000001550574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data 13241300x80000000000000001550573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000) 12241200x80000000000000001550572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000001550571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data 13241300x80000000000000001550570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000) 12241200x80000000000000001550569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 13241300x80000000000000001550568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\CategoriesBinary Data 13241300x80000000000000001550567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\5DWORD (0x00000000) 12241200x80000000000000001550566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 13241300x80000000000000001550565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\CategoriesBinary Data 13241300x80000000000000001550564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\4DWORD (0x00000000) 12241200x80000000000000001550563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 13241300x80000000000000001550562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\CategoriesBinary Data 13241300x80000000000000001550561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\5DWORD (0x00000000) 12241200x80000000000000001550560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000001550559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000001550558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000001550557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000001550556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 12241200x80000000000000001550555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000001550554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000001550553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000001550552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 12241200x80000000000000001550551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 12241200x80000000000000001550550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:50:01.703{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 734700x80000000000000001550549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.687{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbemcomn.dll10.0.14393.4283 (rs1_release.210303-1802)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=EF7A4C64E4A6F52AEAF20828033ADFF8,SHA256=7108BBAE5B91ED6784BD32547F7BD9DEAD392E47ACAB29DC057AEF7CFB746F3CtrueMicrosoft WindowsValid 734700x80000000000000001550548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.687{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001550547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.687{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 734700x80000000000000001550546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.687{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210trueMicrosoft WindowsValid 734700x80000000000000001550545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.672{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 11241100x80000000000000001550544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.672{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{0C2C16E9-8DF6-4085-8A17-31FFF64F5635}2021-04-21 17:50:01.672 13241300x80000000000000001550543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3348\0Binary Data 12241200x80000000000000001550542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:50:01.672{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\3548 12241200x80000000000000001550541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-21 17:50:01.672{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\3548\0 734700x80000000000000001550540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.672{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 13241300x80000000000000001550539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DownloadContentStateConsentTime(Empty) 13241300x80000000000000001550538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DownloadContentStateSourceLocationDWORD (0x00000007) 13241300x80000000000000001550537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DownloadContentStateDWORD (0x00000000) 13241300x80000000000000001550536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\UserContentDependentStateConsentTime(Empty) 13241300x80000000000000001550535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\UserContentDependentStateSourceLocationDWORD (0x00000007) 13241300x80000000000000001550534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\UserContentDependentStateDWORD (0x00000000) 13241300x80000000000000001550533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ControllerConnectedServicesStateConsentTime(Empty) 13241300x80000000000000001550532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ControllerConnectedServicesStateSourceLocationDWORD (0x00000007) 13241300x80000000000000001550531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ControllerConnectedServicesStateDWORD (0x00000000) 13241300x80000000000000001550530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ServiceConnectionStateConsentTime(Empty) 13241300x80000000000000001550529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ServiceConnectionStateSourceLocationDWORD (0x00000007) 13241300x80000000000000001550528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ServiceConnectionStateDWORD (0x00000001) 13241300x80000000000000001550527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DiagnosticDataConsentConsentTime(Empty) 13241300x80000000000000001550526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DiagnosticDataConsentLevelSourceLocationDWORD (0x00000007) 13241300x80000000000000001550525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DiagnosticDataConsentLevelDWORD (0x00000001) 13241300x80000000000000001550524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\UserCategoryDWORD (0x00000000) 12241200x80000000000000001550523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous 12241200x80000000000000001550522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.672{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache 734700x80000000000000001550521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.672{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL16.0.13127.21452RichEdit Version 8.0Microsoft OfficeMicrosoft Corporationriched20.dllMD5=5B796D159DCE1E87B9D7FFBD8A21509F,SHA256=ABC949A0289DCFD93A699C460D1783D90194C107925594AE3929068C3E2BA0EAtrueMicrosoft CorporationValid 734700x80000000000000001550520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.672{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8trueMicrosoft WindowsValid 18141800x80000000000000001550519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:01.672{21761711-65C9-6080-565E-00000000BB01}3348\wkssvcC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 734700x80000000000000001550518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.672{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001550517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.672{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 11241100x80000000000000001550516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\WINWORD\App_1619027401671644800_A6DFB4F7-B699-43CE-B9A9-C61D0BE35D08.log2021-04-21 17:50:01.656 734700x80000000000000001550515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=4D76C6FAF3D01B31A68C9ABF95F4B7D4,SHA256=9B771613C067880E99ED3D68E6C2A43C6B252E899D44682ADEB5A7F02E925920trueMicrosoft WindowsValid 11241100x80000000000000001550514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\WINWORD\App_1619027401671195500_A6DFB4F7-B699-43CE-B9A9-C61D0BE35D08.log2021-04-21 17:50:01.656 734700x80000000000000001550513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL16.0.13127.21210Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMsoAria.dllMD5=075F94DBD44477623CA2629F67A28C63,SHA256=7E32AD6955265A798568940B30EEE08891972809507272665314555D06632E83trueMicrosoft CorporationValid 734700x80000000000000001550512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 734700x80000000000000001550511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\DWrite.dll10.0.14393.4225 (rs1_release.210127-1811)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=BB0ECCB8A72B5926A58433666145D459,SHA256=9C082B0EF00A6E174062634F0421B1179D27BC9077A5C0B1FEB2AA74DBAC2E68trueMicrosoft WindowsValid 734700x80000000000000001550510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x80000000000000001550509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcp110_win.dll10.0.14393.2007 (rs1_release.171231-1800)Microsoft® STL110 C++ Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp110_win.dllMD5=BFB390484F611C21582AD11E4C6ADEF2,SHA256=30B5AD268C022FCA2AACAE2CB6E4DC36F6A01C16A006046BB4417CEA96DA4F5AtrueMicrosoft WindowsValid 10341000x80000000000000001550508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dsreg.dll10.0.14393.4225 (rs1_release.210127-1811)AD/AAD User Device RegistrationMicrosoft® Windows® Operating SystemMicrosoft Corporationdsreg.dllMD5=A9077C17AA04BDD1DBEDD357767E704F,SHA256=E9599D4BA5469F080CEEE8CEFB2DF979B69DA3349EAD3B2CCF12B15D15955E60trueMicrosoft WindowsValid 734700x80000000000000001550506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001550505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x80000000000000001550504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=02AD37C3C2D54BCD9E7BD2AFF3D6E7A6,SHA256=D71D631EC1790A9BD9451EFAEFC7EBADE6353A17CDBB4D8AAACD3102430A686EtrueMicrosoft WindowsValid 734700x80000000000000001550503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19trueMicrosoft WindowsValid 734700x80000000000000001550502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5CtrueMicrosoft WindowsValid 734700x80000000000000001550501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Security.Authentication.Web.Core.dll10.0.14393.4169 (rs1_release.210107-1130)Token Broker WinRT APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Security.Authentication.Web.Core.dllMD5=E3AB65431FF6EA142FECF301220904D0,SHA256=60F168A317109BA364699F1FA1A2DDD8E5B0008A16CD7F1DB80583848DFCA7CFtrueMicrosoft WindowsValid 734700x80000000000000001550500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x80000000000000001550499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 11241100x80000000000000001550498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.656{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2FDF5F51CB77B18D4757FDB1B4898CF,SHA256=652721E61E4EB7AEDCC2FDC6EE546DBEB893A0AB1218D112622D09CEBE00EBE5falsefalse - insufficient disk space 10341000x80000000000000001550496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.640{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.640{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.640{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001550493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.640{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001550492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.640{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9DtrueMicrosoft WindowsValid 734700x80000000000000001550491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.640{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d11.dll10.0.14393.4169 (rs1_release.210107-1130)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=EDCE49E7FDE3BD70DF70F05B8C47ACD4,SHA256=864EC8827EB03CDF7F2FC5E318283A7835E600CE548590C59E1DCF8BF8112089trueMicrosoft WindowsValid 734700x80000000000000001550490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.640{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d10_1core.dll10.0.14393.0 (rs1_release.160715-1616)Direct3D 10.1 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10_1Core.dllMD5=AD41EACFB2A670E17F2C09F8AB06F428,SHA256=208B4CF05936AC21EB0337FB17B1B8F12D778A6E880435C589202457EB0CF73EtrueMicrosoft WindowsValid 734700x80000000000000001550489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.640{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d3d10_1.dll10.0.14393.0 (rs1_release.160715-1616)Direct3D 10.1 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10_1.dllMD5=9945D52ACD8FED11F0A636F916C4FF16,SHA256=97C5A99ED38F8516133D6B95070C5998BAAE75EAEF730531D91B81FEE4B81D82trueMicrosoft WindowsValid 13241300x80000000000000001550488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.625{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001550487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.625{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000001550486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.625{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.625{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.625{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.625{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.625{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210trueMicrosoft WindowsValid 734700x80000000000000001550481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.625{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885trueMicrosoft WindowsValid 734700x80000000000000001550480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.625{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 12241200x80000000000000001550479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001550478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001550477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001550476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001550475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000001550474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.603{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 12241200x80000000000000001550473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.622{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.619{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x80000000000000001550454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.619{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\s/qBinary Data 12241200x80000000000000001550453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.619{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 12241200x80000000000000001550452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.619{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency 12241200x80000000000000001550451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001550450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001550449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001550448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x80000000000000001550447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.603{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 12241200x80000000000000001550446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001550445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.618{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.603{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.603{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.603{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.603{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.603{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x80000000000000001550427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.603{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AEtrueMicrosoft WindowsValid 734700x80000000000000001550426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.603{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223trueMicrosoft WindowsValid 10341000x80000000000000001550425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.603{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.603{21761711-83AD-607D-0C00-00000000BB01}7245768C:\Windows\system32\svchost.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.603{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570trueMicrosoft WindowsValid 734700x80000000000000001550422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.603{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid 10341000x80000000000000001550421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.603{21761711-83AE-607D-1600-00000000BB01}11086004C:\Windows\system32\svchost.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.603{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.603{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 12241200x80000000000000001550418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.603{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001550417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.603{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187EtrueMicrosoft WindowsValid 11241100x80000000000000001550416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.603{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{A6DFB4F7-B699-43CE-B9A9-C61D0BE35D08} - OProcSessId.dat2021-04-21 17:50:01.603 13241300x80000000000000001550415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.603{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000001) 13241300x80000000000000001550414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.603{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000002) 734700x80000000000000001550413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.587{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msi.dll5.0.14393.4350Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=DEC633243BDCEAD0E3BDDDAFBC933F02,SHA256=FC9AFA9CDD6ECC1194C1532F37AF6FEE9E888DC5D2056BCE0C59538A389FC9DEtrueMicrosoft WindowsValid 13241300x80000000000000001550412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.587{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3348\0Binary Data 12241200x80000000000000001550411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.587{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3348 734700x80000000000000001550410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.587{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 13241300x80000000000000001550409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.587{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling\0Binary Data 734700x80000000000000001550408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.587{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMSO.dllMD5=4FB7C52B5A56E2A4A47B8A9D0B94C274,SHA256=31D782B41576C93F0D440D2797EEA97C2C452E27C2119220DB3B9E37378D1AF4trueMicrosoft CorporationValid 734700x80000000000000001550407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.571{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BABtrueMicrosoft WindowsValid 734700x80000000000000001550406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.571{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso98win32client.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso98Win32Client.dllMD5=A2DA2F37011629C919B6BC2F261600A4,SHA256=3B904FF382D604527E2853C0FA2780F591C7AC235CC98758E997750FC138AA83trueMicrosoft CorporationValid 734700x80000000000000001550405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.571{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso50win32client.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso50Win32Client.dllMD5=5EC58D31A1B7A5F5E00E7D7D71A336A4,SHA256=716354C33ED74A02ABFF15498EE619D9E916C5DD268EA59A7AC5C8F5BEDAAA57trueMicrosoft CorporationValid 734700x80000000000000001550404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.571{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft Corporationmso40uiWin32Client.dllMD5=ED817FC4D5C18B04726F8EE7C89EFF39,SHA256=C6F13CEC53F3216FEC098ED30ED5F4F935FF897D40C463D130B71305911DF1F5trueMicrosoft CorporationValid 734700x80000000000000001550403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.571{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1trueMicrosoft WindowsValid 734700x80000000000000001550402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.571{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso30Win32Client.dllMD5=07AC00D96DD2A96C07386BAB1BA8BD63,SHA256=B0A63D4055AFBAAD131972DD9E70E404F2116DB5C09702E8CFC559B468F8CC66trueMicrosoft CorporationValid 734700x80000000000000001550401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.571{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 734700x80000000000000001550400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.571{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001550399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.556{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 734700x80000000000000001550398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.556{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\RstrtMgr.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Restart ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRstrtMgr.dllMD5=F14EA4521A8C000F1165581B5837355E,SHA256=6CB383C1FFB8AB7301B1666EEA83FD484EA049147C834725894652DB20D28359trueMicrosoft WindowsValid 734700x80000000000000001550397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.556{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000001550396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.556{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso20win32client.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso20Win32Client.dllMD5=8A534D2BDBC58D598A4C5624D016AB73,SHA256=A98B2C3A5DD863A639B2ABA879911B0DC1FFB51980F4E3831332CB40CA6B7324trueMicrosoft CorporationValid 734700x80000000000000001550395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.556{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 734700x80000000000000001550394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.556{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4350_none_aecb7b4dddd42c62\GdiPlus.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=22905195515813858B52CE4DC79B3FB9,SHA256=CC74B32225A286C5BE81CE792FF7AF86F6AB434519A4A47B7A1CC364D8DF18D9trueMicrosoft WindowsValid 734700x80000000000000001550393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.556{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\OART.DLL16.0.13127.21452Microsoft OfficeArtMicrosoft OfficeMicrosoft CorporationOART.DLLMD5=E5F9D41891CD22C534DCAD478F1545E6,SHA256=5F3D7CC47AF5CD0AFF7E50B41DA24E787ACF70DB163A2678DE648549627C2016trueMicrosoft CorporationValid 734700x80000000000000001550392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.556{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\WWLIB.DLL16.0.13127.21454Microsoft WordMicrosoft OfficeMicrosoft Corporationwwlib.dllMD5=682E969F9862D7CFC2E55676F4DC2312,SHA256=446EF7ECEE88C24DA556E3DA02B63B43704D1636353DBC01FD639F20C2C0908BtrueMicrosoft CorporationValid 12241200x80000000000000001550391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.524{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun 12241200x80000000000000001550390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.524{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office 12241200x80000000000000001550389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.524{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft 12241200x80000000000000001550388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.524{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE 10341000x80000000000000001550387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.524{21761711-85CB-607D-5301-00000000BB01}70085280C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4c224|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4dd30|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+584fe|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+57f5f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+56e48|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.524{21761711-85CB-607D-5301-00000000BB01}70085280C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1438C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+73c87|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+7522e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+14519|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a430|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001550385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.524{21761711-85CB-607D-5301-00000000BB01}70085280C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+2d73e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+16070|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+15184|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+17233|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a40c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac 13241300x80000000000000001550384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.522{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListExBinary Data 13241300x80000000000000001550383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.521{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 12241200x80000000000000001550382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm\OpenWithList 12241200x80000000000000001550381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\RegisteredApplications 12241200x80000000000000001550380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000001550379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm\OpenWithProgids\Word.TemplateMacroEnabled.12Binary Data 12241200x80000000000000001550378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm\OpenWithProgids 10341000x80000000000000001550377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.502{21761711-85CB-607D-5301-00000000BB01}70085280C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+976c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001550376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.dotm\MRUListExBinary Data 13241300x80000000000000001550375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.dotm\0Binary Data 12241200x80000000000000001550374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001550373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 13241300x80000000000000001550372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\3Binary Data 734700x80000000000000001550371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 12241200x80000000000000001550370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001550369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001550368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001550367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 11241100x80000000000000001550358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\cs_doc1_rundll32.dotm.lnk2021-04-21 16:13:27.626 12241200x80000000000000001550357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001550352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001550351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001550350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001550348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\3 12241200x80000000000000001550347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.dotm\0 23542300x80000000000000001550346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784WIN-HOST-5\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\cs_doc1_rundll32.dotm.lnkMD5=90D3405A9281B1140076266EFE94D638,SHA256=8238CBF2AC36C148C307669471EF52184257554F54B6D336971FDBEC77BA077Bfalsefalse - insufficient disk space 12241200x80000000000000001550345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.dotm 12241200x80000000000000001550344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 12241200x80000000000000001550343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm\OpenWithList 12241200x80000000000000001550342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\RegisteredApplications 12241200x80000000000000001550341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000001550340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm\OpenWithProgids\Word.TemplateMacroEnabled.12Binary Data 12241200x80000000000000001550339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm\OpenWithProgids 12241200x80000000000000001550338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\Common 12241200x80000000000000001550337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 734700x80000000000000001550336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.502{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x80000000000000001550335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.502{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001550334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FEtrueMicrosoft WindowsValid 13241300x80000000000000001550333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{E202377D-3778-4B5E-B49E-3F4071C88CC5}\RecentItems\{A6C07705-C20A-4F4D-98CF-93AEB4DBAFBC}\PointsBinary Data 13241300x80000000000000001550332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{E202377D-3778-4B5E-B49E-3F4071C88CC5}\RecentItems\{A6C07705-C20A-4F4D-98CF-93AEB4DBAFBC}\LastAccessedTimeQWORD (0x00000000-0x00000000) 13241300x80000000000000001550331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{E202377D-3778-4B5E-B49E-3F4071C88CC5}\RecentItems\{A6C07705-C20A-4F4D-98CF-93AEB4DBAFBC}\TypeDWORD (0x00000000) 12241200x80000000000000001550330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{E202377D-3778-4B5E-B49E-3F4071C88CC5}\RecentItems 734700x80000000000000001550329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000001550328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001550327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 12241200x80000000000000001550326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 734700x80000000000000001550325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000001550324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=902EBA937960538CA5B7A586EAFE47EE,SHA256=0C5D100EFA1E51C36C0A6E4B35BFD09C3098616EE9B3E46DC49E9E1A8365A0DFtrueMicrosoft WindowsValid 734700x80000000000000001550323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 12241200x80000000000000001550322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 734700x80000000000000001550321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001550320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\msvcp140.dll14.24.28127.4 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=A1D30EF2114E18E26E2BB96555BE81BF,SHA256=F87819AE8C6F7C90D3237A1ABB9809E8CBA9DCD0C80AC3F0969A5E68EF652CA4trueMicrosoft CorporationValid 734700x80000000000000001550319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=E6D716FCDD7A5E7897267CDCED7D3EA3,SHA256=763990AA9286C3D945B6F0D617D3EB22CE88804AC3847F27A90509F813D77FD3trueMicrosoft WindowsValid 734700x80000000000000001550318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001550317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 13241300x80000000000000001550316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.WINWORD.EXE.15QWORD (0x01d736d6-0xc0b7812c) 734700x80000000000000001550315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 12241200x80000000000000001550314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 734700x80000000000000001550313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140.dll14.24.28127.4 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=23105A395B807D9335219958B4D0CEC1,SHA256=61832990E364DCA5BFA2C61D930F00ACAAE6D1AAA3130392403455AE9A1125A5trueMicrosoft CorporationValid 734700x80000000000000001550312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140_1.dll14.24.28127.4 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=9040ED0FDF4CE7558CBFFB73D4C17761,SHA256=6CC4315DACEB0522816C60678344466CB452426267F70C7FAAE925361674E774trueMicrosoft CorporationValid 12241200x80000000000000001550311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.487{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 734700x80000000000000001550310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001550309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001550308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001550307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001550306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001550305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft Corporationc2r64.dllMD5=987063E093C30254D80F6B8C2F4A5EEF,SHA256=BBD8531183283BC434943EF126723E75AC7ED7DE9DC87260C47C66B9615F4C11trueMicrosoft CorporationValid 734700x80000000000000001550304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001550303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 13241300x80000000000000001550302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0355E9A3-C98A-45E4-A51A-BAABE03C989B}\LaunchCountDWORD (0x0000000e) 13241300x80000000000000001550301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0355E9A3-C98A-45E4-A51A-BAABE03C989B}\LastAccessedTimeQWORD (0x01d736d6-0xc0b779f0) 12241200x80000000000000001550300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 734700x80000000000000001550299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x80000000000000001550298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 734700x80000000000000001550297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll5.2.166.0AppVIsvSubsystems64Microsoft Application Virtualization (App-V)Microsoft CorporationAppVIsvSubsystems64.dllMD5=645BAECF733FD3E637C358C502FDAE1A,SHA256=BD56679E80DF33BC3F9B3B6435E5CC06DB953DF18EB4CF2FD13C094975314714trueMicrosoft CorporationValid 734700x80000000000000001550296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 12241200x80000000000000001550295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.487{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess 13241300x80000000000000001550294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm\OpenWithList\MRULista 734700x80000000000000001550293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 12241200x80000000000000001550292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm\OpenWithList 13241300x80000000000000001550291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 734700x80000000000000001550290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 13241300x80000000000000001550289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0355E9A3-C98A-45E4-A51A-BAABE03C989B}\LaunchCountDWORD (0x0000000e) 13241300x80000000000000001550288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{0355E9A3-C98A-45E4-A51A-BAABE03C989B}\LastAccessedTimeQWORD (0x01d736d6-0xc0b779f0) 12241200x80000000000000001550287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 734700x80000000000000001550286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 13241300x80000000000000001550285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001550284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Zvpebfbsg Bssvpr\Ebbg\Bssvpr16\JVAJBEQ.RKRBinary Data 734700x80000000000000001550283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001550282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.13127.21506Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exeMD5=7851F6195A0306B9BB238309499F79B8,SHA256=8FA3AEBA6758FBFDDDD534936149B351CF767B0E39D74291BC92ED2C271B3C3EtrueMicrosoft CorporationValid 12241200x80000000000000001550281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.487{21761711-83AE-607D-1200-00000000BB01}304C:\Windows\System32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store 10341000x80000000000000001550280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-83AE-607D-1200-00000000BB01}3041484C:\Windows\System32\svchost.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-83AE-607D-1200-00000000BB01}3041484C:\Windows\System32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-84C5-607D-E100-00000000BB01}32203420C:\Windows\system32\csrss.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001550277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.487{21761711-84C9-607D-F200-00000000BB01}37843292C:\Windows\Explorer.EXE{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+18d18c|C:\Windows\System32\SHELL32.dll+18cee3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001550276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.476{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.13127.21506Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exe"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Administrator\Desktop\cs_doc1_rundll32.dotm"C:\Users\Administrator\Desktop\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=7851F6195A0306B9BB238309499F79B8,SHA256=8FA3AEBA6758FBFDDDD534936149B351CF767B0E39D74291BC92ED2C271B3C3E{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\Explorer.EXE 12241200x80000000000000001550275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.455{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm\OpenWithList 12241200x80000000000000001550274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.455{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\RegisteredApplications 12241200x80000000000000001550273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.455{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\RegisteredApplications 13241300x80000000000000001550272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.455{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm\OpenWithProgids\Word.TemplateMacroEnabled.12Binary Data 12241200x80000000000000001550271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.455{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dotm\OpenWithProgids 12241200x80000000000000001550270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.455{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 354300x80000000000000001550269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:49:58.767{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65006-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x80000000000000001550268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.286{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001550267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:01.286{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000001550266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.286{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001550265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:01.286{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\308046O0NS4N39POBinary Data 11241100x80000000000000001550264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.186{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.186{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A186D21DCED2136E94C25E696939E19,SHA256=31541E40E3D5197454BEF05FCAA684669D43BABD0CA731CFA7036E34B726D089falsefalse - insufficient disk space 10341000x80000000000000001067593Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:02.994{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067592Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:02.994{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067591Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:58.417{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal51787- 23542300x80000000000000001067590Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:02.764{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7321758699ED7CF7E19229E6EF440532,SHA256=9757493E8767DFCDA057335CCA951763504655C09882C67097F80A1150215675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067589Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:02.438{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26207C4B0876B6FCEC8FA821394267F7,SHA256=38B7AB3FBA82965DA628330281CEEA4AE3C8AD34755F6A54FAE9E757438F2CE9,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001550883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.489{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227 23542300x80000000000000001550882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.489{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DF6E622C426FE50141096107EAA426EA,SHA256=392B2FEA596B98FA738437CC21F99F3D97A81702A18C42BD5AD3F10E4E19FC0Efalsefalse - insufficient disk space 11241100x80000000000000001550881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.489{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227 23542300x80000000000000001550880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.489{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C6E9ACD969374FFC2750925E64D66FC6,SHA256=4BB191B80A2750F6DF7D8310F8C927FDB78B02A918DC8E9AB7887CB7D3592137falsefalse - insufficient disk space 11241100x80000000000000001550879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.473{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001550878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.473{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB2C07232E771A0A5D9AEB74D23DD72C,SHA256=9013247FA6884D8775BB85C2EA8383242CF2DFF0AB74CCD63CE29165012C1EC8falsefalse - insufficient disk space 734700x80000000000000001550877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.424{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dsparse.dll10.0.14393.0 (rs1_release.160715-1616)Active Directory Domain Services APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdsparse.dllMD5=E9B5EFC173FDD55C00B2F28B8BAC144B,SHA256=0CA602484CD0E2C67091FCD60091608BF746B1D05B353DB9805D1CAE0ED09D70trueMicrosoft WindowsValid 734700x80000000000000001550876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.423{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001550875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.423{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\certca.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Microsoft® Active Directory Certificate Services CAMicrosoft® Windows® Operating SystemMicrosoft CorporationCertCaMD5=8F23364460E12C9A157F88B9B4A86F2E,SHA256=51B5550668D6420C5DA988FEF83564DD9B4E911866EF4FC80748C8B219789F23trueMicrosoft WindowsValid 734700x80000000000000001550874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.422{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\CertEnroll.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft® Active Directory Certificate Services Enrollment ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationCertEnrollMD5=20ADB479CDAFBDFB60D8D6E0AD7D6588,SHA256=C1C86EE623A9BCA85CE4D6AD7DA9F75C18E62DA2341219FCF45A73FD0CF5123BtrueMicrosoft WindowsValid 734700x80000000000000001550873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.389{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 734700x80000000000000001550872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.389{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178DtrueMicrosoft WindowsValid 13241300x80000000000000001550871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:02.326{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x80000000000000001550870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:02.326{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x80000000000000001550869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:02.326{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x80000000000000001550868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.325{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\fwbase.dll10.0.14393.0 (rs1_release.160715-1616)Firewall Base DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationfwbase.dllMD5=216C0DC7BEBD19C616A7BCE54F57F70C,SHA256=2305E780D161A736DB237727AC78EC1D2462793FD5013D126621B4BBBB16D743trueMicrosoft WindowsValid 734700x80000000000000001550867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.324{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\biwinrt.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Background Broker InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationbiwinrt.dllMD5=1774BAC67716351387E5F11635DEED8D,SHA256=74F9B4190CFFADCE3ED3F61D4FD6A4F7CCC6EE0F42E3452D018E8160ECB3BE1FtrueMicrosoft WindowsValid 734700x80000000000000001550866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.324{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\FirewallAPI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Firewall APIMicrosoft® Windows® Operating SystemMicrosoft CorporationFirewallAPI.DLLMD5=C7DD193AFCCF63B97C559993608EDAF0,SHA256=26E7628E9C65352F730F38D7BF32A845CC1CAEEC034152B1CDE85F9B89D1A6DCtrueMicrosoft WindowsValid 734700x80000000000000001550865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.323{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Networking.HostName.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Networking.HostName DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.HostName.dllMD5=8DF028D66876592B54CEF5631E727C2E,SHA256=C16C85F3D505EDE6F2566DF7140171F5AB4A71DDDEEDC653D846D3954AA8E99AtrueMicrosoft WindowsValid 734700x80000000000000001550864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.323{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Networking.Connectivity.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Networking Connectivity Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.Connectivity.dllMD5=7934F613774F04B5BFD097B3D77F81FB,SHA256=E1A32AADFED0859269C89D4E1C961D3BC8EA2A5FA86487C9817BB52899E0F60EtrueMicrosoft WindowsValid 734700x80000000000000001550863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.322{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Networking.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Networking DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.dllMD5=79801C7A91F51A659B0BBA4E80FFFA6B,SHA256=A261D0F4572FAE532461712C90129E14682B09FA651742DBD856F28430586CA7trueMicrosoft WindowsValid 11241100x80000000000000001550862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.304{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000001550861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.304{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9F82E1B505272178012AEB19ABA99D3E,SHA256=968FEE79BDACEAD042788AD81C430C07CD70C1E30636C8FB25DD2B0CAE64F108falsefalse - insufficient disk space 734700x80000000000000001550860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.289{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\CHAKRACORE.DLL1.11.24.0 (servicing/2012:d01dc98328550b8f594177218860b11fbce12c57.00052.02725.201113-1810)Microsoft ® Chakra CoreMicrosoft ® Chakra CoreMicrosoft Corporationchakracore.dllMD5=02836114F7E6C8337FD62902B20001AE,SHA256=8D942362D971E49FF5805C59F9B224C7AC9E4CD8006887D16A4898B271F654CCtrueMicrosoft CorporationValid 734700x80000000000000001550859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.289{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\concrt140.dll14.24.28127.4 built by: vcwrkspcMicrosoft® Concurrency Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationconcrt140.dllMD5=EB42B164D603672E07997019BB00E4AD,SHA256=DABDB0732B2FC14040CEDBBFD369D9EB3C7A2E66B38A79892E1C05E6D6A8526DtrueMicrosoft CorporationValid 734700x80000000000000001550858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.289{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\react-native-win32.dll0.60.0-vnext.170React-Native-WindowsReact-Native-WindowsMicrosoftreact-native-win32.dllMD5=78C2BA2842F00F4F81D0E07C7615FB8A,SHA256=A35BF7A6F46E8CAE687E18DF99E4C4CF0FC67094E36E2FAD738B211265D56868trueMicrosoft CorporationValid 10341000x80000000000000001550857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.273{21761711-65C9-6080-565E-00000000BB01}33483628C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdd53|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdcf3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdc66|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bd60d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+5ea29b|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+eb823|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+ee1eb|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+159874|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+3adce|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1f2312|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1143|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1492|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001550856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:02.242{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400100000000F01FEC\Usage\SpellingAndGrammarFiles_1036DWORD (0x52950033) 13241300x80000000000000001550855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:02.242{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400100000000F01FEC\Usage\SpellingAndGrammarFiles_1036DWORD (0x52950032) 13241300x80000000000000001550854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:02.242{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00100000000F01FEC\Usage\SpellingAndGrammarFiles_3082DWORD (0x52950033) 13241300x80000000000000001550853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:02.242{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00100000000F01FEC\Usage\SpellingAndGrammarFiles_3082DWORD (0x52950032) 13241300x80000000000000001550852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:02.242{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x52950053) 13241300x80000000000000001550851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:02.242{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x52950052) 13241300x80000000000000001550850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:02.242{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400100000000F01FEC\Usage\SpellingAndGrammarFiles_1036DWORD (0x52950031) 13241300x80000000000000001550849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:02.226{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00100000000F01FEC\Usage\SpellingAndGrammarFiles_3082DWORD (0x52950031) 13241300x80000000000000001550848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:02.226{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x52950051) 13241300x80000000000000001550847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:02.226{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3348\0Binary Data 10341000x80000000000000001550846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.222{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.204{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001550844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:02.204{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A062E\VirtualDesktopBinary Data 12241200x80000000000000001550843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:02.204{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000A062E 10341000x80000000000000001550842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.204{21761711-84C9-607D-F200-00000000BB01}37844668C:\Windows\Explorer.EXE{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001550841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.204{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000001550840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.204{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8893E744A16BA3635F6E665F36E76A74,SHA256=1B0AC7DB8A40D6387DB61D8D4FFA7A7256173553650139B403B9719295F48539falsefalse - insufficient disk space 11241100x80000000000000001550839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.204{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.204{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CBAB7AA59F8ECC4D11DF59D9998682,SHA256=30F8E101F0E6A0ED0017EF6AF72C0CE14B78424A6955C6CDD61EE62750123564falsefalse - insufficient disk space 10341000x80000000000000001550837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.141{21761711-65C9-6080-575E-00000000BB01}56125444C:\Windows\system32\sppsvc.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+7ec28|C:\Windows\system32\sppsvc.exe+749f0|C:\Windows\system32\sppsvc.exe+95a0e|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x80000000000000001550836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.141{21761711-65C9-6080-575E-00000000BB01}56125444C:\Windows\system32\sppsvc.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+74b0a|C:\Windows\system32\sppsvc.exe+959c1|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001550835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.126{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000001550834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.126{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8DEC6361048E89F168A86EE291A671B5,SHA256=ED9F188B5442C0B2750FE2562E19762D024166D787BDC683B244B76CBF66088Afalsefalse - insufficient disk space 734700x80000000000000001550833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.126{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001550832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.125{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 10341000x80000000000000001550831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.125{21761711-65C9-6080-575E-00000000BB01}56125144C:\Windows\system32\sppsvc.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+7ec28|C:\Windows\system32\sppsvc.exe+749f0|C:\Windows\system32\sppsvc.exe+95a0e|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x80000000000000001550830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.125{21761711-65C9-6080-575E-00000000BB01}56125144C:\Windows\system32\sppsvc.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+74b0a|C:\Windows\system32\sppsvc.exe+959c1|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001550829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.118{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDCtrueMicrosoft WindowsValid 734700x80000000000000001550828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.118{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628trueMicrosoft WindowsValid 734700x80000000000000001550827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.101{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\Windows.Globalization.dll10.0.14393.4169 (rs1_release.210107-1130)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D48D3F64A7718C672CDEC0B7A8CB7695,SHA256=C459390E3E67665FC2413469F8C29544DB9421D14B6C40F68B1674C924898B71trueMicrosoft WindowsValid 11241100x80000000000000001550826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.101{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000001550825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.101{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=950C734F25DD71878EDCC3030FA621CE,SHA256=A98C75841DD582576C7E84FFAC677BA43EBC7F270BF5AFF87BA3DF576471BC6Dfalsefalse - insufficient disk space 12241200x80000000000000001550824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:02.054{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\Common 12241200x80000000000000001550823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:50:02.054{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency 12241200x80000000000000001550822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:50:02.054{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems 12241200x80000000000000001550821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-21 17:50:02.054{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems\s/q 11241100x80000000000000001550820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.045{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000001550819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.044{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7DF096EADAD499A39D737BBABDA0695A,SHA256=492A26B53CBB2E8B2CDA3E4E8C991E0D468905231883CBC11A1671C5E849AAF2falsefalse - insufficient disk space 12241200x80000000000000001550818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:02.026{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\Common 734700x80000000000000001550817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.026{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6EtrueMicrosoft WindowsValid 11241100x80000000000000001550816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.024{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.024{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E55D497BE22782C81ABDC0A061DBC004,SHA256=D40B00BF7BB0D60BF90262D67FDE007FD3C69E90E8DEE5F4F2B597270E6AE2E6falsefalse - insufficient disk space 734700x80000000000000001550814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.004{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\msimg32.dll10.0.14393.0 (rs1_release.160715-1616)GDIEXT Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationgdiextMD5=78DA58DF85F86CA61E5EAFB9EF0A83BE,SHA256=3216205F5C355D582EC4B902651B62E1FF3EFFDCA40BC849D474F13F1325E962trueMicrosoft WindowsValid 734700x80000000000000001550813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.004{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\GFX.DLL16.0.13127.21210Microsoft Office GraphicsMicrosoft OfficeMicrosoft CorporationGFX.DLLMD5=668097B2D740561081C0F7A9495457D9,SHA256=7DE7CC50306AD0F6FE3406537092C9F8DC5BBB0FF16E30A55BE3694895FFD293trueMicrosoft CorporationValid 11241100x80000000000000001550904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:03.946{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000001550903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:03.946{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=522ACF6594DADEA9F95A033EAD123E8D,SHA256=A6F64B00A934933519A93310F7D292094E92BBAADCAE196DD718528F164287C9falsefalse - insufficient disk space 13241300x80000000000000001550902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:03.946{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000120262\VirtualDesktopBinary Data 12241200x80000000000000001550901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:03.946{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000120262 22542200x80000000000000001550900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:02.262{21761711-65C9-6080-565E-00000000BB01}3348augloop.office.com0type: 5 augloop-prod.trafficmanager.net;type: 5 augloop-prod-002.westus.cloudapp.azure.com;::ffff:52.111.245.11;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 22542200x80000000000000001550899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.668{21761711-65C9-6080-565E-00000000BB01}3348support.content.office.net0type: 5 support.content.office.net.edgekey.net;type: 5 e584.g.akamaiedge.net;::ffff:23.218.108.30;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x80000000000000001550898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:03.892{21761711-65C9-6080-565E-00000000BB01}33483628C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdd53|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdcf3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdc66|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bd60d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+3b117|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1f2312|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1143|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1492|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001550897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:03.877{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001550896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:03.877{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 10341000x80000000000000001550895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:03.877{21761711-84C9-607D-F200-00000000BB01}37847552C:\Windows\Explorer.EXE{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001550894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:03.645{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:03.645{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294951FF3F4E296001CA7A1AB8E8555C,SHA256=1D27A95A7DE4D4E85239B45F98DA459F0F2811AADD25D00E642BC984F223E24Efalsefalse - insufficient disk space 13241300x80000000000000001550892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:03.407{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d736d6-0xc1dc784e) 12241200x80000000000000001550891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:03.407{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000001550890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:03.407{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000001550889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:03.407{21761711-84C9-607D-F200-00000000BB01}37844264C:\Windows\Explorer.EXE{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80357CE08C8)|UNKNOWN(FFFFF2D93DAB4A38)|UNKNOWN(FFFFF2D93DAB4BB7)|UNKNOWN(FFFFF2D93DAAF241)|UNKNOWN(FFFFF2D93DAB0C0A)|UNKNOWN(FFFFF2D93DAAEEC6)|UNKNOWN(FFFFF803579F7E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001550888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:03.407{21761711-84C9-607D-F200-00000000BB01}37844264C:\Windows\Explorer.EXE{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80357CE08C8)|UNKNOWN(FFFFF2D93DAB4A38)|UNKNOWN(FFFFF2D93DAB4BB7)|UNKNOWN(FFFFF2D93DAAF241)|UNKNOWN(FFFFF2D93DAB0C0A)|UNKNOWN(FFFFF2D93DAAEEC6)|UNKNOWN(FFFFF803579F7E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001550887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:03.407{21761711-C665-607D-D60D-00000000BB01}4492WIN-HOST-5\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb436ae8.TMPMD5=0A3987995CAABA9D2D05576BFBDACCA4,SHA256=134B5D92AEA1E4DCEEF95C6317D978F0F8DF8AC008963BBBF96453B3409DC3FFfalsefalse - insufficient disk space 11241100x80000000000000001550886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:03.407{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb436ae8.TMP2021-04-21 17:50:03.407 254200x80000000000000001550885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:03.407{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SIBOTV6FSK6A4J68D41A.temp2021-04-19 13:28:44.7592021-04-21 17:50:03.391 11241100x80000000000000001550884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:03.391{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SIBOTV6FSK6A4J68D41A.temp2021-04-21 17:50:03.391 10341000x80000000000000001067597Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:03.994{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067596Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:03.994{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067595Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:59.002{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal58856- 23542300x80000000000000001067594Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:03.448{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FF75D1A983D8F3380F28FD7AE75E5D,SHA256=339B086E57617AFC235F29EFC2920FE8BAFC551F1CBEBA0BD799D51D7B272CDC,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001550913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:04.509{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x80000000000000001550912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:04.509{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 11241100x80000000000000001550911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:04.494{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:04.494{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA351C30B61E76AE33AE12AED2BBAE6,SHA256=0230E4EB22C9644B9C4CB890B7490A8181EE2C85244A4A53AF843BA896C16A6Cfalsefalse - insufficient disk space 10341000x80000000000000001067602Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:04.995{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067601Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:04.995{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067600Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:49:59.913{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32518-false10.0.1.12-8000- 23542300x80000000000000001067599Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:04.454{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBC4291C709BAE77A3969410D2566BB,SHA256=C59CC243E73DF61785DFD2AEAF35C86B935B4E57E9833C410D5F194A4B5D1838,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.319{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local65007-false23.218.108.30a23-218-108-30.deploy.static.akamaitechnologies.com443https 10341000x80000000000000001550908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:04.209{21761711-83AE-607D-1D00-00000000BB01}19602916C:\Windows\sysmon64.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001550907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:04.209{21761711-83AE-607D-1D00-00000000BB01}19602916C:\Windows\sysmon64.exe{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001550906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:04.030{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000001550905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:04.030{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=74B6A20C9D3C085D0F80E2FEFDAF190D,SHA256=5ECF0C2C8DB1CDF614FA12BF6432310924E94C6573763FBAFAFDADFAA6066402falsefalse - insufficient disk space 23542300x80000000000000001067598Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:04.248{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29C11191A00CFDED2C73D40B9E9FE38C,SHA256=84819BA66313924730593CC7ECD92DFE8C51EB2AA62B4B1FBEFE7692C39A692D,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001550925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:05.797{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\PROOF\msgrammar8.dll16.0.13127.20204Grammar Proofing ServiceMicrosoft OfficeMicrosoft CorporationMSGrammar8.dllMD5=603C1DBC6374EA44B7B46C1139BF2C30,SHA256=5C42F44B80E62ACCCAC7A9F89EC517D71A975829D251C9465B36DBB8BF09530FtrueMicrosoft CorporationValid 13241300x80000000000000001550924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:05.797{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x52950055) 13241300x80000000000000001550923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:05.797{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400100000000F01FEC\Usage\SpellingAndGrammarFiles_1033DWORD (0x52950054) 734700x80000000000000001550922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:05.781{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Program Files\Microsoft Office\root\Office16\msproof7.dll16.0.13127.20204Proofing ServicesNatural Language ComponentsMicrosoft CorporationMSProof7.dllMD5=13A3C7D61A62995056D18886AD996779,SHA256=AAB0056E3AA43C0044DAC2AB26DB921127B353E34BEB0B5641D94B7C9F93F537trueMicrosoft CorporationValid 11241100x80000000000000001550921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:05.496{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:05.496{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE87AA9CCD762764D03BEFB0DCA8F819,SHA256=642119FAA718B0F36670BD9C156B9399B13253B16165C197CA9F7E5AB1BAA121falsefalse - insufficient disk space 10341000x80000000000000001067605Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:05.996{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067604Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:05.996{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067603Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:05.458{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394A936735ABCB4A97FCDFA071DFE693,SHA256=8372970161C14CF601FCDE8E7A76E5AA8DB5FF9CA783523CBC69187CA56B2B2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:03.778{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65009-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000001550918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:01.922{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local65008-false52.111.245.11-443https 11241100x80000000000000001550917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:05.231{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001550916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:05.231{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8335178F821647B0C557BA3869882933,SHA256=6B7757313215F2ECF504F0652C463A56292913698EEB8ADA67FB2C1719BC760Afalsefalse - insufficient disk space 13241300x80000000000000001550915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:05.227{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001550914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:05.227{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.JVAJBEQ.RKR.15Binary Data 11241100x80000000000000001550929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:06.737{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shm2021-04-21 16:13:25.844 11241100x80000000000000001550928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:06.737{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal2021-04-21 16:13:25.844 11241100x80000000000000001550927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:06.498{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:06.498{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F855B9C12A52644A93D329E62DFF32A,SHA256=9B920C43EDD00B6DC3FA14933AFDA53E81F8F2A4AE611535656F9BEE0624F3D1falsefalse - insufficient disk space 10341000x80000000000000001067608Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:06.997{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067607Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:06.997{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067606Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:06.471{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A76F50203FCBEFB8EE2D3DDE628AF45,SHA256=69B892B36F2FC5DA8ADB385BD721278D15EDC040D5B454981E62EAD9702DEF4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001550935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:07.755{21761711-3770-607F-F339-00000000BB01}6452WIN-HOST-5\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RFb437bef.TMPMD5=FABC111312CD43093B0ECB217784AE61,SHA256=E4C54946B4732E720A02A0F783874B6D71E92ED837209F7EBDA4D14779023557falsefalse - insufficient disk space 11241100x80000000000000001550934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:07.755{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RFb437bef.TMP2021-04-21 17:50:07.755 254200x80000000000000001550933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:07.755{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5y3werlw.tmp2021-04-20 20:22:02.3742021-04-21 17:50:07.755 11241100x80000000000000001550932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:07.755{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\5y3werlw.tmp2021-04-21 17:50:07.755 11241100x80000000000000001550931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:07.501{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:07.501{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5621138F594F1278EDB9D0F49E6254,SHA256=AC8B1FC08978D480900129AF9448B0A30B101C702AABEAC71AE0B0371D1606D4falsefalse - insufficient disk space 10341000x80000000000000001067611Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:07.997{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067610Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:07.997{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067609Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:07.473{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362FA7544BC0C8D4D2755738C674DF22,SHA256=B1271214EB2AC17495B7AB11B1FB15710FD1D82E89864ECA8857AC13EDC20F79,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001550937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:08.503{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:08.503{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0BF11F2FE459CEE694C242845E9BFD,SHA256=EF69399972EEDA600DA3F64272F6CADF0D8866A0453023367E7FB4EDCA4D582Efalsefalse - insufficient disk space 10341000x80000000000000001067623Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:08.998{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067622Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:08.998{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067621Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:08.594{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=277AA10DFBFAAC5967EB94E5F5F707C2,SHA256=0F13C5BE6DBB29A81E7C5934380AA726133E13BFA4D6B09B4AE9C81030EEE91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067620Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:08.489{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C37A898A0101D6747570A4447EA407,SHA256=40CE1633831F904641AEBC8799C5D28A0D4AA41BDE32E0DA8EE2BEEC62788CE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067619Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:08.060{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-65D0-6080-275D-00000000BA01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067618Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:08.058{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067617Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:08.058{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067616Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:08.058{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067615Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:08.058{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067614Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:08.058{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-65D0-6080-275D-00000000BA01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067613Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:08.057{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-65D0-6080-275D-00000000BA01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067612Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:08.057{761B69BB-65D0-6080-275D-00000000BA01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001550939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:09.706{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:09.706{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8595705C4C02A3B322787C3B6246953B,SHA256=1966ECE1A60F22B830FEF98E090116AC5ED6259DCCC4639462AA6EBCDF6587C2falsefalse - insufficient disk space 10341000x80000000000000001067626Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:09.998{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067625Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:09.998{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067624Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:09.500{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3380E5592984CAFC9BF69C3B91E02158,SHA256=6A020BE34366B8509EB94615A524C3F10D2C8B851717363F6C4EAEE7FFEBBDD8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001550945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:10.778{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:10.778{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2092BDD6A2F9EAF92B609F998EF04BD,SHA256=19A8B93AD48462E449EFE374CB302D06D0D659F45B53607BFCFCC9D554E33277falsefalse - insufficient disk space 10341000x80000000000000001067630Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:10.998{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067629Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:10.998{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067628Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:10.512{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A37F9E7AD4D4C3E3A5F819BC88AC42,SHA256=FC2BF9E4CDC85F18A33AB99A41A9818296F278DA7685B40A1F3F3226CA000B6A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001550943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:10.276{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001550942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:10.276{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3EF05418122E199F26888CACCB9FAC1,SHA256=80E248EF6C3200E39FE5CB3929097ACE4499172581C071AC4A8F96EE970D67D9falsefalse - insufficient disk space 11241100x80000000000000001550941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:10.276{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001550940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:10.276{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C109BBECF88FF8398E5126E9CD7984F0,SHA256=692FEF3A4161BB1993BC70081F3B71CD3E6700C84BC79EB46B77C063DB37CB45falsefalse - insufficient disk space 23542300x80000000000000001067627Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:10.140{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37F28E37A5557A0F70315F35B0308834,SHA256=9FF9B44B3EF51E7FC215D947697622B1EEE2AC2F2415DDD989907F81E2D8323B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001550950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:11.780{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:11.780{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745603645CC006F69ECE6D98F50E8FEB,SHA256=760AC486F04865667324758BABD8D9BF968D62D9B2D8914A881989205C7440D4falsefalse - insufficient disk space 10341000x80000000000000001067643Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:11.999{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067642Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:11.999{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067641Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:11.803{761B69BB-65D3-6080-285D-00000000BA01}3560592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067640Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:11.661{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-65D3-6080-285D-00000000BA01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067639Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:11.659{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067638Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:11.659{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067637Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:11.659{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067636Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:11.659{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067635Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:11.659{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-65D3-6080-285D-00000000BA01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067634Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:11.658{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-65D3-6080-285D-00000000BA01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067633Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:11.658{761B69BB-65D3-6080-285D-00000000BA01}3560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067632Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:11.517{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AB421B57BBB3158C3BBD94274C90EA,SHA256=3204432F1AFBA880561CD302E36C93BDE4F0F04499361121E0EBE29958FE6F97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:08.812{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65010-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001550947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:11.310{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-04-19 13:21:46.711 23542300x80000000000000001550946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:11.310{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B2374A0BA49A491DA0068122A9FCA31D,SHA256=D7D1228E3492F4C9B14FC727F713A93D35F98066C1FE2DE36B54FD4C12AFF34Ffalsefalse - insufficient disk space 354300x80000000000000001067631Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:05.807{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32519-false10.0.1.12-8000- 11241100x80000000000000001550954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:12.848{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001550953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:12.848{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3EF05418122E199F26888CACCB9FAC1,SHA256=80E248EF6C3200E39FE5CB3929097ACE4499172581C071AC4A8F96EE970D67D9falsefalse - insufficient disk space 11241100x80000000000000001550952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:12.814{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:12.814{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE42BFC7FB58697089A512CF44446326,SHA256=8BFE96D1EBFEC85CE658B887BD921A2E820D25A1F673B217D8DCEC19BBC42672falsefalse - insufficient disk space 10341000x80000000000000001067655Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:12.999{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067654Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:12.999{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067653Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:12.680{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E807FA81F99B93141E7B951709624534,SHA256=F9649E7EBA3DE36130B38DD9EAB7D04402479A2E681C0EF338CC6B677B9D4508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067652Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:12.535{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D255F9296D72EED634EE199FA925D6AB,SHA256=D126EC2346E5DBE9A265545C6D0C857BE5E4CC40F324DFB51ECF9C6B12545450,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067651Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:12.326{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-65D4-6080-295D-00000000BA01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067650Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:12.324{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067649Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:12.324{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067648Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:12.323{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067647Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:12.323{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067646Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:12.323{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-65D4-6080-295D-00000000BA01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067645Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:12.323{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-65D4-6080-295D-00000000BA01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067644Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:12.322{761B69BB-65D4-6080-295D-00000000BA01}4524C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000001550962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:11.747{21761711-65C9-6080-565E-00000000BB01}3348cdn.uci.officeapps.live.com0type: 5 cdn.uci.officeapps.live.com.edgekey.net;type: 5 e1324.d.akamaiedge.net;::ffff:104.73.0.39;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 22542200x80000000000000001550961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:11.730{21761711-65C9-6080-565E-00000000BB01}3348self.events.data.microsoft.com0type: 5 self-events-data.trafficmanager.net;type: 5 skypedataprdcolweu05.cloudapp.net;::ffff:52.114.75.79;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 11241100x80000000000000001550960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:13.816{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:13.816{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1B9DF3B12ED8C9214480CA5B9A27E8,SHA256=FAE4B22CE6A90C6476353928A7A50207BEE01F1589D01A41B5B7F265F69EB108falsefalse - insufficient disk space 10341000x80000000000000001067668Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:13.999{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067667Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:13.542{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367D0781D07BC299BA9AD9615ECA09E4,SHA256=13CF103338DCB8BD4E333CE1781A503C23E6F68E3B2FE17EBCFB17A64A2B607D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:11.527{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local65011-false52.114.75.79-443https 354300x80000000000000001550957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:11.395{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local65012-false104.73.0.39a104-73-0-39.deploy.static.akamaitechnologies.com443https 11241100x80000000000000001550956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:13.183{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000001550955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:13.183{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 10341000x80000000000000001067666Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:13.140{761B69BB-65D5-6080-2A5D-00000000BA01}65724672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067665Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:13.007{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-65D5-6080-2A5D-00000000BA01}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067664Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:13.005{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067663Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:13.005{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067662Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:13.005{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067661Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:13.004{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067660Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:13.004{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-65D5-6080-2A5D-00000000BA01}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067659Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:13.004{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-65D5-6080-2A5D-00000000BA01}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067658Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:13.004{761B69BB-65D5-6080-2A5D-00000000BA01}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001067657Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:08.486{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal65422- 354300x80000000000000001067656Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:08.485{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63824- 11241100x80000000000000001550968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:14.853{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:14.853{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE2CD5532C79AFDA5437F5E6CF10AE9,SHA256=287BC24BF7EC7AE1FC0297E2A32BE5EA078B4DE1BE28D19A022A377675AA2017falsefalse - insufficient disk space 22542200x80000000000000001550966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:13.301{21761711-83AE-607D-1D00-00000000BB01}196039.0.73.104.in-addr.arpa.0type: 12 a104-73-0-39.deploy.static.akamaitechnologies.com;C:\Windows\sysmon64.exe 23542300x80000000000000001067671Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:14.545{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6935A298B2372360984570B64FD045E,SHA256=FD703CC549BE7AA87C388D51F619F985C22D1757552E30467970F5227272F04C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:12.722{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65013-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x80000000000000001550964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:14.186{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001550963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:14.186{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74AD438BCB23AFBADEE0F18608CD09BE,SHA256=43BF69BA03DF558C63DF29D2A3FD4943FAEEBB17C0F8B13372B4C7A21E412D90falsefalse - insufficient disk space 23542300x80000000000000001067670Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:14.018{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8175CD93C888BC6A115298AE86274319,SHA256=16352E7F0CA3E9C404004E771766F9C000BEBD0770D87AC178A63214DFDB34ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067669Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:13.999{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001550970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:15.858{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:15.858{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC83CDCD9FEE7B9FDCC2EB9A20BAA33,SHA256=052348F1472583842D73A95B912202C3C8B96CB4990ADE6C65D651F4E1101505falsefalse - insufficient disk space 23542300x80000000000000001067677Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:15.554{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568EA60FA60CEAAD184126E4E321D7D3,SHA256=CEA61FBDDAA4D43FADF1EFF3AF8C04A144B20295A02B0493BC0BFAC1DE9032C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067676Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:15.033{761B69BB-818C-607D-0D00-00000000BA01}9046912C:\Windows\system32\svchost.exe{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067675Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:15.033{761B69BB-818C-607D-0D00-00000000BA01}9046912C:\Windows\system32\svchost.exe{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067674Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:09.987{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal59361- 10341000x80000000000000001067673Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:14.999{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067672Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:14.999{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001550974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:16.892{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:16.892{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BA80130237BC1477209A1D77E177A7,SHA256=783304C90AE8A1CAD3ABAAE1667393081F6C3C71FB55D6CAD7CAA0C65D2A5D49falsefalse - insufficient disk space 23542300x80000000000000001067681Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:16.570{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74A31AA54406E7A29D03742712E3A37,SHA256=C9949126189672970C99AAB8B29D71033A780C990C6CC637EEA5B70DE83EECA3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001550972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:16.037{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001550971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:16.037{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=709DFA6EA96C871F5A9A69B2BB1B41E1,SHA256=34128C7972C85769A0BE4D6AE447B6A3694DF3908CC4E4D905655CBC3B86E2B2falsefalse - insufficient disk space 23542300x80000000000000001067680Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:16.027{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4600B0AB9655866F540A5023C3B5755,SHA256=AB1FE9BEFF6A6A4CBAB8BD76BB73D51363A240D45DB01E37BC0AE4633625762B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067679Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:16.000{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067678Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:16.000{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001550977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:17.910{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:17.910{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241E34C0192340489A9142CEE36F4EE9,SHA256=755945E2B970E68A2335161FEE4D68C87949D3AFD78A7EE61CA3FA163C839518falsefalse - insufficient disk space 23542300x80000000000000001067686Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:17.765{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C69CC6146F1DA3EBA79C00A070CFD0C,SHA256=481AE0318D5F2156BDE20FB85155D993600EABB38D3D1485A521529DC0A9D77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067685Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:17.576{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2C6E041747110DD86CD46C03F8D996,SHA256=004BBA6FE6BF2D5B635A69CAC5658B52901458F8B6A002D8BA0FA1959CFA59A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:14.557{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65014-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x80000000000000001067684Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:11.691{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32520-false10.0.1.12-8000- 10341000x80000000000000001067683Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:17.000{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067682Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:17.000{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001550979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:18.944{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:18.944{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63A2CD7BB04E8A46B79511F06C8A7A1,SHA256=3DDE7335BF6E49824C7E6A10366D00C62E26B18C191C4D7E03E38B9F527561AAfalsefalse - insufficient disk space 23542300x80000000000000001067689Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:18.586{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3DB92B971C171D23FC928A2254DE91,SHA256=32935961F0240E4CAADDBB0FD5FA7A2249B1B775CE9F7786F3A5289C669B3648,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067688Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:18.001{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067687Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:18.001{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001550981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:19.964{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:19.964{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106398488D670B2A7ED17DB89744D12B,SHA256=164076A31681ED392A902C32FBA151B2FFE12974346E6B9C32A33EAD40779F1Efalsefalse - insufficient disk space 23542300x80000000000000001067693Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:19.595{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24D3BBFC80A680396FCF1C8BA60C86C,SHA256=9CA12CDA92708E819AE473A1A3192120C232EA26A6DA12B8AFBC4D1E95C6F45E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001067692Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:13.430{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32521-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001067691Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:19.002{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067690Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:19.002{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001550983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:20.966{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:20.966{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F012624E1E15366D4001B513DB359347,SHA256=1744BA0853105987A6288E0F54033DD094CD9D2399771AF0E7CD81B07B7E64FFfalsefalse - insufficient disk space 10341000x80000000000000001067704Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:20.627{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-65DC-6080-2B5D-00000000BA01}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067703Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:20.625{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067702Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:20.625{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067701Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:20.625{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067700Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:20.625{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067699Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:20.624{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-65DC-6080-2B5D-00000000BA01}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067698Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:20.624{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-65DC-6080-2B5D-00000000BA01}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067697Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:20.623{761B69BB-65DC-6080-2B5D-00000000BA01}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067696Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:20.599{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6804F7446E9479351E22F205C6072E,SHA256=4CBCE5B2C9DF4E77216AED72962DD080BE0254E0C83B483057EEE613D122F486,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067695Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:20.003{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067694Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:20.003{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001550988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:21.989{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:21.989{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DC5824D9A93B8BCAFD3DAD86540B78,SHA256=A65407E52BBAF2A377B9602EE93C702BBCADB3802CF7A1170602BD2F49F64D74falsefalse - insufficient disk space 10341000x80000000000000001067725Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.957{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-65DD-6080-2D5D-00000000BA01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067724Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.956{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067723Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.956{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067722Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.956{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067721Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.955{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067720Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.955{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-65DD-6080-2D5D-00000000BA01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067719Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.955{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-65DD-6080-2D5D-00000000BA01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067718Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.954{761B69BB-65DD-6080-2D5D-00000000BA01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067717Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.619{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B3475C2E7460365BF74D6CDA98E4FE,SHA256=52462A91B9C6620967D764962DC880D22F6F65FA07A0C5E645847909D18D20AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001550986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:19.569{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65015-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001550985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:21.033{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001550984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:21.033{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47997C15EF1DFC94FF04A48173296B28,SHA256=F937DC0C7035283B137601259168166E2BF527D88B3F500D51CE17C4BF8A3903falsefalse - insufficient disk space 10341000x80000000000000001067716Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.438{761B69BB-65DD-6080-2C5D-00000000BA01}4003996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067715Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.292{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-65DD-6080-2C5D-00000000BA01}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067714Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.290{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067713Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.290{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067712Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.290{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067711Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.289{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067710Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.289{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-65DD-6080-2C5D-00000000BA01}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067709Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.289{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-65DD-6080-2C5D-00000000BA01}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001067708Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.288{761B69BB-65DD-6080-2C5D-00000000BA01}400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001067707Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.149{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C668201A95A267B25153A7E2351B3BE8,SHA256=A5249D1A57C7ACF98249243FE05EB99CA8424602A8A178D9AC3F74784148CF37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067706Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.003{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067705Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:21.003{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067731Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:22.626{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD84856FF5E495DAFBFD2BC027BD95BA,SHA256=5E65C1C903CD957F82A473EE531327C9C7277A266C30903F46E6F702256D5704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067730Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:22.293{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=652C27AD1F8008A8E5CB5F71265793CA,SHA256=08CA1D14BD9B2370A13F1004A6C23C0491935436964BE316C82F129256087932,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067729Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:22.097{761B69BB-65DD-6080-2D5D-00000000BA01}66123288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067728Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:16.816{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32522-false10.0.1.12-8000- 10341000x80000000000000001067727Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:22.004{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067726Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:22.004{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067735Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:23.996{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C64F258A642699C45465DAA5F0EDF975,SHA256=1B80A34B44140AE1F388B5F0EA0EE6F733AC88044D419E6392BF35077CB6AA9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067734Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:23.634{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB16C03257C11A16FEB2E35FB932B65,SHA256=22E5B1704AFD1B3CCB7CF358B8F157DA0E8BA2C3DF6038BA0E59BD7051613866,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001550990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:23.038{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:23.038{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E54DDD55AE39875591273FC2D7D1051,SHA256=0253BEF16C1B4D97E6F7F3CCE57F697934E2DF9DE4ACCC609AEAE7EAD9B35E8Afalsefalse - insufficient disk space 10341000x80000000000000001067733Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:23.005{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067732Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:23.005{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067738Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:24.637{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D154A00BB58474355A9E31A8D13D4ACF,SHA256=77AED733CF8BDE8719C1FE76050F2766FECAA53A73AE42667CCE67ACB26026BD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001550992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:24.094{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:24.094{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F347715F61085D63D90D1D780525682,SHA256=771899653C455C42EAC2493F482C6BEEA228332A4ED5B77B09D5026B01FABAF1falsefalse - insufficient disk space 10341000x80000000000000001067737Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:24.005{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067736Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:24.005{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067742Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:25.639{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF83E24DC561317151D0D9D2D89AD64,SHA256=0B639C98F3B34F550E629072E91F006A7BB5C4B21DBF9F795E01C3D48FAF873A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001550994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:25.096{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:25.096{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FFDAE4127D4C95C0453F350A1D2520F,SHA256=84E3B7CCC9868C507966018D51F5AEC7882FD9C9431976FD93CC554A5F3EAADFfalsefalse - insufficient disk space 23542300x80000000000000001067741Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:25.103{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82CEE888FBFB63357A080794FF92B35A,SHA256=41C543D11FA67174A465324B0413EB3D0B6312A4AE35D3B260BA283A10550E1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067740Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:25.006{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067739Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:25.006{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067747Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:26.651{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92460A3CEFD12451B158B7C9909CDDD,SHA256=49A5ECE6398E34A200094DFEE15F4BB86DEDF5EEBD774A6D4504110A8535917D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:24.581{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65016-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001551000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:26.099{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001550999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:26.099{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15806D33918A895477F57C75CE093232,SHA256=0A3CE504620B2806AB116BEC84378DF80793F560B28400C2395E9A00DB025F2Ffalsefalse - insufficient disk space 354300x80000000000000001067746Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:20.750{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local32523-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001067745Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:20.750{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local32523-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 10341000x80000000000000001067744Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:26.007{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067743Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:26.007{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001550998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:26.061{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001550997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:26.061{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEFD83FC3A1F1093FFDE57C7F718C694,SHA256=3E61BF3F44C2B6F0F6489F7AE5DDBFD983A9AF431146E24B98911ACF65F9A074falsefalse - insufficient disk space 11241100x80000000000000001550996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:26.061{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001550995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:26.061{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8328EBC3C99DC0B888EBC48C50EA0EE9,SHA256=E4E80E6B926FBACDFE30D23FEC1340A2B41ED8EBD7BE8483851A01CCF6884E5Afalsefalse - insufficient disk space 23542300x80000000000000001067751Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:27.672{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B64938474FD280100CA2C7291FE5708C,SHA256=C770E69E0840A2A8A1760C3CA5E947DCE30D649C7E6391B757564662064EC3F6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.284{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.283{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505006405908227DFCFA55893535DA29,SHA256=FB38394F55D2B20E13DE241D9A3476354A061AB6C161D631BFCC62E376058329falsefalse - insufficient disk space 534500x80000000000000001551057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.164{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001551056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.164{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001551055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.164{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001551054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.164{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001067750Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:27.031{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67AB24CDBB80CED9E246967D4CAC3A50,SHA256=BD1E7C494A13F050534395BD97192AB3A14E9B0AFDE9D29436769DAD8E5D6C11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067749Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:27.007{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067748Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:27.007{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.048{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001551052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.048{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001551051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.048{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001551050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:27.048{21761711-65E3-6080-595E-00000000BB01}2660\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001551049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.048{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001551048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001551047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001551046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001551045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001551044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001551043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001551042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001551041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001551040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001551039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001551038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001551037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001551036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001551035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001551034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001551033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001551032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001551031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001551030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001551029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001551028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001551027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001551026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001551025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001551024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001551023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001551022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001551021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001551020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001551019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001551018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001551017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000001551016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001551015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001551013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001551012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001551011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000001551010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.032{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:27.017{21761711-65E3-6080-595E-00000000BB01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001551007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:27.017{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:27.017{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:27.017{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:27.017{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:27.017{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:27.017{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001067755Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:28.675{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F79792D95849D143A7AE7FC10B1219,SHA256=3CFEF444C05584090F48D7DC4FC8876707AB0A9443732869A808F5F41DDA8EDF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:28.186{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:28.186{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7E91F9947FACFD8F80581014B88F3F,SHA256=B8BF5B36B047403A1188E2870A5AE9C59C5A85055C84845E880E50883EFD5481falsefalse - insufficient disk space 354300x80000000000000001067754Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:22.697{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32524-false10.0.1.12-8000- 10341000x80000000000000001067753Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:28.007{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067752Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:28.007{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:28.019{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:28.019{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEFD83FC3A1F1093FFDE57C7F718C694,SHA256=3E61BF3F44C2B6F0F6489F7AE5DDBFD983A9AF431146E24B98911ACF65F9A074falsefalse - insufficient disk space 23542300x80000000000000001067759Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:29.862{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067758Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:29.692{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023CE8180D0D64158F86CE69FAA56FDD,SHA256=BDA36D4B9AED7CF5412088FD3AC8748E858DA124461E63E280620BB44ACA1BDF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:29.206{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:29.206{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B8714BB18E64F56CE287F6C4D15F85,SHA256=E0DE5DA9F9DC9205E1DEC57823AFC026566F176E615550609F4B19FC96977E49falsefalse - insufficient disk space 10341000x80000000000000001067757Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:29.008{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067756Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:29.008{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067763Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:30.853{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A080DDC286B8326D14E65BF03F28F5AB,SHA256=764D0A183E30B808633F8B0229B5F6536CBEED764B536486BEC46FA35383DE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067762Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:30.696{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C204345E9F52EA6BD0EB2E840A85EB4,SHA256=4B8EEE6F1EAB89903D7D2C72B7586346080D9CA1235F47464920E617DBD6007E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:30.224{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:30.224{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72ACF21B5A99CB223302DF859D1076C4,SHA256=730F5D7CC3F608F0DACFE3B6EA0B5FCF0F044A6C016CED49AD0235824634E529falsefalse - insufficient disk space 10341000x80000000000000001067761Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:30.009{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067760Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:30.009{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067774Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:31.701{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=836BF0A0372162873D85AFD3D5DF9694,SHA256=3F21A01DC2E5452FD18E9714BDE9C9AAD1D613ADDAC03136B8518B8FA73CA349,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001551184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.960{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001551183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.960{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001551182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.960{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001551181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001551180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001551179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001551178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001551177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001551176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001551175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001551174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001551173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001551172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001551171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001551170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001551169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001551168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001551167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001551166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001551165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001551164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001551163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001551162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001551161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001551160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001551159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001551158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001551157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001551156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001551155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001551154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001551153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001551152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001551151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000001551150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000001551149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001551148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000001551147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001551146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001551145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001551144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001551143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000001551142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001551140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001551139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001551138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000001551137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.944{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.929{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.929{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 17141700x80000000000000001551134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:31.929{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:31.929{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:31.929{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:31.929{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:31.929{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:31.929{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x80000000000000001551128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:29.641{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65017-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x80000000000000001551127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.374{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001551126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.374{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001551125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.374{21761711-65E7-6080-5A5E-00000000BB01}79646276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.374{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001551123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.374{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000001551122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.274{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.274{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF469EC1050513CDC5C2A98BD636F4DD,SHA256=861148AAE66CED27A34F262266B3DFE6771E3B8BABEA71B14F502613ACD7A9BFfalsefalse - insufficient disk space 734700x80000000000000001551120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.258{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 10341000x80000000000000001067773Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:31.440{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067772Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:31.440{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067771Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:31.440{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067770Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:31.438{761B69BB-84D3-607D-0403-00000000BA01}3725160C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067769Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:31.438{761B69BB-84D3-607D-0403-00000000BA01}3725160C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067768Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:31.438{761B69BB-84D3-607D-0403-00000000BA01}3725160C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067767Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:31.438{761B69BB-84D3-607D-0403-00000000BA01}3725160C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067766Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:26.517{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32525-false10.0.1.12-8089- 10341000x80000000000000001067765Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:31.010{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067764Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:31.010{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001551118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001551117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001551116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001551115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001551114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001551113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001551112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001551111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001551110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001551109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001551108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001551107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001551106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001551105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001551104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001551103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001551102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001551101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001551100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001551099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001551098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001551097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001551096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001551095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001551094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001551093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001551092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001551091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001551090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001551089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001551088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001551087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001551086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001551085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001551084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001551083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001551081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001551080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001551079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001551078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.243{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.227{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.228{21761711-65E7-6080-5A5E-00000000BB01}7964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001551075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:31.227{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:31.227{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:31.227{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:31.227{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:31.227{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:31.227{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001551069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.091{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:31.091{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AE00B2729136B563EBE7E2D8307F8ED,SHA256=3CE6393899E30A1271AD04B9E2AA1994832A1AF3E30068E43882290F3241C885falsefalse - insufficient disk space 23542300x80000000000000001067778Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:32.705{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A980C4C28339F91F817B68355CBC72AB,SHA256=ABBA279BE03510F74453BA929B39611DEDA6921340FA560461362492B45F518C,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001551248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.762{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001551247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.762{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001551246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.762{21761711-65E8-6080-5C5E-00000000BB01}60244620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.762{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001551244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.762{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001551243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001551242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001551241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001551240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001551239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001551238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001551237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001551236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001551235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001551234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001551233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001551232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001551231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001551230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001551229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001551228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001551227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001551226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001551225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001551224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001551223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001551222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001551221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001551220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001551219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001551218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001551217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001551216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001551215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001551214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001551213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001551212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001551211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001551210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001551209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001551208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001551207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001551206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001551204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001551203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001551202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.630{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001551201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.615{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.615{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.615{21761711-65E8-6080-5C5E-00000000BB01}6024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001551198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:32.615{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:32.615{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:32.615{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:32.615{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:32.615{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:32.615{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001551192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.395{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.394{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B776B6158EF2E114898BC2C370C8FEEB,SHA256=E910EECB6AC02C57D114EEDDCAAE2AFE6B629CFDF82FCAA436436A3E37E47E85falsefalse - insufficient disk space 23542300x80000000000000001067777Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:32.172{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=125DDCBB34DC9D6DFA6B95397125B084,SHA256=C622432B883633C14229708C3F0EDEF879C6C8E868C36EC13190BE89F7818C1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067776Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:32.011{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067775Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:32.011{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.229{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.229{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CE63F7EF7DA6D45240575D3EC682BA0,SHA256=4BC3A86A528120393E242135EB4029CD16E41AF0AD456BA0E36AC59F919B1A80falsefalse - insufficient disk space 534500x80000000000000001551188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.076{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001551187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.076{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001551186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.076{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001551185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:32.076{21761711-65E7-6080-5B5E-00000000BB01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001067782Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:33.717{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296EEBAFD813DD9BC59C78B163112323,SHA256=069BE9C805509D32EA0B4511D70A68DF204097006681E66B820EC64CF9306400,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001551365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001551364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001551363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001551362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001551361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001551360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001551359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001551358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001551357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001551356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001551355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001551354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001551353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001551352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001551351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001551350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001551349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.918{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000001551348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001551347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001551346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001551345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001551344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001551343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001551342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001551341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001551340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001551339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001551338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001551337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001551336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001551335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001551334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001551333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001551332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001551331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001551330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001551329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001551328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001551327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001551325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001551324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001551323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000001551322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.902{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.896{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001551319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:33.896{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:33.896{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:33.896{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:33.896{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:33.896{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:33.896{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001551313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.617{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.617{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2985BCBF3BD934A3AE111F6DFE0EA8B,SHA256=803C26BAE25718413CB36DC651A16B5FB18F3F126571750C429235A3E21BA534falsefalse - insufficient disk space 11241100x80000000000000001551311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.532{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.532{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11A43154966EA9875845B3F7A281FB0,SHA256=2312F09136DE39F50B1DB7A5A0A4D1D57EC93AF928870C57A4783E5A2403EF26falsefalse - insufficient disk space 11241100x80000000000000001551309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.517{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.517{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B888CADDC5F6EFC3141DF0983427E341,SHA256=DC91FA3D7EB9E606A317684FFB43368DDA94150512F5282062E93EC636317454falsefalse - insufficient disk space 354300x80000000000000001067781Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:27.836{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32526-false10.0.1.12-8000- 10341000x80000000000000001067780Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:33.012{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067779Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:33.012{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000001551307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.363{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001551306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.363{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001551305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.363{21761711-65E9-6080-5D5E-00000000BB01}38284888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.363{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001551303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.363{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001551302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.247{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001551301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001551300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001551299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001551298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001551297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001551296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001551295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001551294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001551293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001551292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001551291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001551290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001551289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001551288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001551287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001551286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001551285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001551284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001551283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001551282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001551281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001551280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001551279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001551278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001551277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001551276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001551275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001551274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001551273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001551272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001551271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001551270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001551269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001551268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001551267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001551266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001551265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001551264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001551262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001551261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001551260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000001551259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.232{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.217{21761711-65E9-6080-5D5E-00000000BB01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001551256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.216{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2021-04-21 17:50:33.216 11241100x80000000000000001551255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:33.216{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2021-04-21 17:50:33.216 18141800x80000000000000001551254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:33.216{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:33.216{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:33.216{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:33.216{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:33.216{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:33.216{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001551456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.904{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.904{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC1DD4E4981BC416F5FA02FE431DF197,SHA256=D9E04620F332E6B2AA559ECE5999451FF379B83D6F58C75FCED8D18DE6529AC9falsefalse - insufficient disk space 534500x80000000000000001551454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.735{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x80000000000000001551453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.735{21761711-65EA-6080-5F5E-00000000BB01}49281720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.720{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001551451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.720{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001551450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001551449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001551448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001551447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001551446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001551445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001551444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001551443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001551442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001551441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001551440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001551439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001551438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001551437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001551436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001551435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001551434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001551433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001551432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001551431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001551430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001551429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001551428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.604{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001551427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.603{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001551426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.603{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001551425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.603{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001551424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.603{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001551423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.602{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001551422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.602{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001551421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.602{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001551420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.602{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001551419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.601{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001551418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.601{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001551417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.601{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001551416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.601{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001551415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.600{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001551414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.600{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001551413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.600{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001551412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.599{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.599{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001551410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.598{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001551409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.598{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001551408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.598{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000001551407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.597{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.582{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.582{21761711-65EA-6080-5F5E-00000000BB01}4928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001551404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:34.582{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:34.582{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:34.582{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:34.582{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:34.582{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:50:34.582{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001551398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.535{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.535{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A540D36C95BCA6BF91D5BCC1CA0A951E,SHA256=F3D4B6A05E9AE88863B5D96498104AFBD3340F0DE9143A4DA6300579B31D6A13falsefalse - insufficient disk space 23542300x80000000000000001067785Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:34.720{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5EFF0F86DBAC74567C9C6AC27A98DA,SHA256=659573345050B4C07BE60EED942A1E8B670758D91B0C1EE751508C1FBCD464B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067784Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:34.012{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067783Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:34.012{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.299{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.299{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E48799AF89ABEAE06092C68487F8FA3,SHA256=E004118EA28E168FB738147228331D099D771FCA790B105EFBE10EDA9079E5F7falsefalse - insufficient disk space 11241100x80000000000000001551394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.080{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000001551393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.080{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=789EB10894CF3551940580AB74B16F45,SHA256=97D93828E1C33137D413A9630105ABCF175AF7C2FA8439D8D970534D55BBC15Bfalsefalse - insufficient disk space 534500x80000000000000001551392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.080{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exe 11241100x80000000000000001551391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.080{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000001551390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.080{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=789EB10894CF3551940580AB74B16F45,SHA256=97D93828E1C33137D413A9630105ABCF175AF7C2FA8439D8D970534D55BBC15Bfalsefalse - insufficient disk space 11241100x80000000000000001551389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.080{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725 23542300x80000000000000001551388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.080{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E3E56C5E51960A8FA7A2532E0D6A5554,SHA256=0D14DF8AE8AC11B2160B6D038DE385499F6C5D99D87383AF58561CE8B2E839B6falsefalse - insufficient disk space 12241200x80000000000000001551387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:34.080{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR 13241300x80000000000000001551386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:34.065{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\ActionsBinary Data 13241300x80000000000000001551385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:34.065{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\TriggersBinary Data 13241300x80000000000000001551384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:34.065{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\URI\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask 13241300x80000000000000001551383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:34.065{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Description$(@%%systemroot%%\system32\sppc.dll,-201) 13241300x80000000000000001551382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:34.065{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Author$(@%%systemroot%%\system32\sppc.dll,-200) 13241300x80000000000000001551381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:34.065{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Source$(@%%systemroot%%\system32\sppc.dll,-200) 13241300x80000000000000001551380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:34.065{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\SecurityDescriptorD:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323) 13241300x80000000000000001551379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:34.065{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Version1.0 13241300x80000000000000001551378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:34.065{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\SchemaDWORD (0x00010005) 13241300x80000000000000001551377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:34.065{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\HashBinary Data 13241300x80000000000000001551376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:34.065{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\IndexDWORD (0x00000003) 12241200x80000000000000001551375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:34.065{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6680E717-711A-4466-96EB-E81A2DACFBEB} 10341000x80000000000000001551374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.065{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cea|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.065{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.065{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001551371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.065{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\taskschd.dll10.0.14393.4169 (rs1_release.210107-1130)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=A0180EEE2521DC7847458E0BDC673DBD,SHA256=987A1EA9876E266B68CBB962BECF4BDD8794765DED0ED15B55490A30ED00DD2BtrueMicrosoft WindowsValid 734700x80000000000000001551370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.065{21761711-65C9-6080-575E-00000000BB01}5612C:\Windows\System32\sppsvc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 534500x80000000000000001551369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.049{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001551368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.049{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001551367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.049{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001551366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.049{21761711-65E9-6080-5E5E-00000000BB01}2200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x80000000000000001067828Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.910{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C2D2703C8D27A42F6F7C4182D8B24B3,SHA256=2BB9417B38F4E3ADE136734BD7D835C5FF744862A475369D414DE44B5B7A01F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067827Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.767{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D9BBD8E0F688BA64176E3577BB2CF9,SHA256=AF103AF95701D72092B7F12848C64B105FB1974D82C21AC647539F3EC78DD1AB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:35.769{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:35.769{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AC4122B0AF96D7C24F597905E1A6E7,SHA256=66D7FE33B6F31019377F8F5C1223D696A2E9A0B7F5B71D3E1C43097E93E0B573falsefalse - insufficient disk space 10341000x80000000000000001067826Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.286{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067825Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.286{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067824Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.286{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067823Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.285{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067822Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.285{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067821Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.285{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067820Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.284{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067819Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.275{761B69BB-646C-6080-FB5C-00000000BA01}5716ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-16\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio15458161743975328847.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067818Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067817Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067816Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067815Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067814Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067813Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067812Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067811Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067810Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067809Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067808Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067807Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067806Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067805Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067804Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067803Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067802Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067801Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067800Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067799Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067798Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067797Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.042{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067796Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.041{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067795Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.041{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067794Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.041{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067793Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.041{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067792Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.041{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067791Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.041{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067790Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.041{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067789Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.041{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067788Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.041{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:35.136{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227 23542300x80000000000000001551459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:35.136{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8A144990FA2BFD58907E4E35A9D44F9D,SHA256=0D884BF6AFA2CF9F7CF660C31F9FBE597B55B663534F9C02A83369C699E248A2falsefalse - insufficient disk space 11241100x80000000000000001551458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:35.136{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227 23542300x80000000000000001551457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:35.136{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DF6E622C426FE50141096107EAA426EA,SHA256=392B2FEA596B98FA738437CC21F99F3D97A81702A18C42BD5AD3F10E4E19FC0Efalsefalse - insufficient disk space 10341000x80000000000000001067787Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.013{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067786Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:35.013{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:36.787{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:36.787{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812DAE6E532360853B683054DFBCDF50,SHA256=238F74DDB9A0B0EEEB6A096A5B047FE221503751F54DA1CDB20D3AE486513B78falsefalse - insufficient disk space 23542300x80000000000000001067831Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:36.771{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C019622552662C4BD3475AD49350E5,SHA256=C73B987F71BAE5C34134B165166E872F7BDD6C73E511793F8458094C026A9AF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067830Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:36.014{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067829Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:36.014{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:36.139{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:36.139{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D49143868E3677258F60003B8590824,SHA256=4843F21C634CF5D55F1B1489274FE65573F994AC9DCA05F39D7D9015639DBFBCfalsefalse - insufficient disk space 11241100x80000000000000001551469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:37.974{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:37.974{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305760BC757191209FD64B51D98D4469,SHA256=2FF2595BB4C315848073A89553D0B56095ED1C693848C6D2AF1ED1980582C573falsefalse - insufficient disk space 23542300x80000000000000001067837Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:37.779{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7CBB959018F2DCB5C473A9F1B1FF68C,SHA256=CCF2E9BD484734A6B385965B5C2DFB3A4D1895AEF38A53BEE478875E318CD959,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:34.675{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65018-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x80000000000000001067836Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:37.253{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067835Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:37.253{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067834Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:37.252{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067833Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:37.015{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067832Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:37.015{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:38.977{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:38.977{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9348C60C979AE89745EE36326F83F6,SHA256=669853014DFBC5029D0D27764FE587D5785E4D6DB6C80C16F66BD45CE3A3D64Cfalsefalse - insufficient disk space 10341000x80000000000000001067843Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:38.970{761B69BB-818C-607D-0D00-00000000BA01}9046912C:\Windows\system32\svchost.exe{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067842Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:38.785{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52351EB3BCE857EC192AAA212AFDB5C7,SHA256=4FF5884CBF2BC55E2BA680778B835760B078273C38AAE5E346BC30C5A66B2E59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001067841Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:33.725{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32527-false10.0.1.12-8000- 23542300x80000000000000001067840Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:38.064{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5CD89B37E10348A00334089A5A12582,SHA256=D246E44F9F496F1088BEC27D3E363D7711596958C21106126B42142E58041025,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067839Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:38.016{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067838Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:38.016{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067846Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:39.791{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=099C748F5B72DAE98CFE0DF7AFAE1CCE,SHA256=6B7B056FB93D231A32B748499FF965DF5A7DA6170E8B7F1D01F0CBE8E654D5D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067845Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:39.017{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067844Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:39.017{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067849Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:40.804{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C56C91C9F7BC4428130908FAB0A3671,SHA256=E4056B403D7508F1EE8CFB0649D919E4D35113D48473E6C65D462ECD1347525E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:40.115{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:40.115{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C7381875E65536317895B346068E97,SHA256=A338853A0926C4E97F10A406C37E0E353FA0B1EB3CD2C36FB2F5649FB7407249falsefalse - insufficient disk space 10341000x80000000000000001067848Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:40.018{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067847Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:40.018{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067853Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:41.810{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11409FF5B4A3D2921B8A52E14F431E51,SHA256=609279DD56C68F3BCDFE56E1087B9ACDFA25D095D793A62A492AFB20EC53E32B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:41.151{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:41.151{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0905DC6EBE4F1BB7E1D0B84D310EC627,SHA256=D6FC4A6533D093D95F2A921617D3BE5ABCC6ACEDF0CBEC5A6AF651866427B62Bfalsefalse - insufficient disk space 10341000x80000000000000001067852Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:41.611{761B69BB-818C-607D-0D00-00000000BA01}9046912C:\Windows\system32\svchost.exe{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067851Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:41.019{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067850Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:41.019{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067856Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:42.821{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A8327C9FDFFA65550B10F71AFC14914,SHA256=9414AD83BB1E230F48DEE63E7FAF03D0B42D784E43060941A5BC7A388C51C451,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001551493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:42.338{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001551492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:42.338{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0b440301) 12241200x80000000000000001551491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:42.338{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000001551490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:42.338{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d736ce-0x77165dab) 13241300x80000000000000001551489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:42.338{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d736d6-0xd8dac5ab) 13241300x80000000000000001551488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:42.338{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d736df-0x3a9f2dab) 13241300x80000000000000001551487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:42.338{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001551486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:42.338{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0b440301) 12241200x80000000000000001551485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:42.338{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x80000000000000001551484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:42.338{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d736ce-0x77165dab) 13241300x80000000000000001551483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:42.338{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d736d6-0xd8dac5ab) 13241300x80000000000000001551482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:42.338{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d736df-0x3a9f2dab) 11241100x80000000000000001551481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:42.319{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:42.318{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2604D2BA754529E11148517E51DC2236,SHA256=5213547FD4E8CA81574D788E5E79EC02108D213ED2A5043D1EE00C2BB8F26BC1falsefalse - insufficient disk space 10341000x80000000000000001067855Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:42.019{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067854Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:42.019{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:42.169{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:42.169{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2A019901202860963BB0B21CBD0D68A,SHA256=26443147BEF855A727EBC5C77A2AEEED7965F117ED9B167F4FA33DDD3E3F7202falsefalse - insufficient disk space 11241100x80000000000000001551477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:42.169{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:42.169{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E19E2CB76E9D26FE15F059D55DA48AA8,SHA256=7336FBD86286676DA20DDA87358B680323B9E5F7248D54D4B5E74AB7486064A1falsefalse - insufficient disk space 23542300x80000000000000001067861Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:43.825{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5661D704677E63491A15BD41C1BC7B,SHA256=30A4D48BF2A674551C572EC7878EB0FE776A99573E708C632443E6DEDD70279A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:43.340{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:43.340{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF272C8EC49EFF41FF0E3BCCCAC95CA2,SHA256=1FADFD65494C92DB43820D574B0337C7101BA56DCC0EF4EA8ACD277C27149AC7falsefalse - insufficient disk space 23542300x80000000000000001067860Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:43.197{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29C15F1B3EC1D7EBFD04B15204869DD6,SHA256=471C80C596E95D89EE6E5385C62C09385428F81782452B5194D2707C46158360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067859Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:43.196{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEDFE8C2DA78CC569607424F706FE1A6,SHA256=C999EFDFF4A86F02E801AD78113D6080DD7C0A99D54D18CFC2BE1AA8B9ACC9AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067858Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:43.020{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067857Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:43.020{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001551494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:40.704{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65019-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001067865Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:44.829{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A5DEFBD84420CFF8924928F0223F5D3,SHA256=37C25AB528206F018BCC2B516634A99FA31CCB447B61CA29E5CD4EDD48A0FEC0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:44.523{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:44.523{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EF48F0A51FDDD568FE2336647328F7,SHA256=1E7B5877C11D3BE39349A52FC9EAC28C9B83AEEB9644ABBA83E4DF1FBB6A419Dfalsefalse - insufficient disk space 354300x80000000000000001067864Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:38.860{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32528-false10.0.1.12-8000- 10341000x80000000000000001067863Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:44.021{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067862Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:44.021{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067868Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:45.832{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97AF608F13098FCC37A722A9AE1445E,SHA256=5F7D8E7FC7868A0DEBE5C5A442BEB21692B6D72EE9E1CB415401BACAC80F2D0D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:45.527{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:45.527{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6685147D5C3D985F03C2E02931EDA8EA,SHA256=6DCFF49A2D30FC966A07AA84A5352E07FEA26BB55E8931D5F310094A184EA33Dfalsefalse - insufficient disk space 10341000x80000000000000001067867Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:45.022{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067866Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:45.022{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001551499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:45.245{21761711-C665-607D-D60D-00000000BB01}4492WIN-HOST-5\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\meudewsu.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=0BA29D4837CA7487F8B93B6793FC53E1,SHA256=61AC43F5BAF277BD21A0051BA55ECE7EE34C58B8E0D90F18E03F0459C46A7B9Ffalsefalse - insufficient disk space 23542300x80000000000000001067883Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.839{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586433105448BD9E20965268954BEC62,SHA256=F08BC7EEAF40E59992C8D0E39250B043162FDF204FF06B54FBD35E8C034715E1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:46.664{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:46.664{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B309ED38317DC50D6A21C4EB8EC689,SHA256=4B0146E63A20A73F12F6BBF458064987D2C7F27818897712F9EF3EF3A8B15022falsefalse - insufficient disk space 23542300x80000000000000001067882Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.399{761B69BB-646C-6080-FB5C-00000000BA01}5716ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-16\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio3574203828896486181.tmpMD5=F0A05BBE37F5099DB3E64D1BFF5D81BC,SHA256=0A9F032EF90E9E832EB804489C816F2657D0CFE57DD32412355BEEAEF7423AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067881Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.377{761B69BB-646C-6080-FB5C-00000000BA01}5716ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-16\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio12648495773132828397.tmpMD5=8CA99219E66FD77679B2A93B833971B8,SHA256=0C4457586D2B3BC349897931868C714E68CB728B847CB391B17A2C77F9534377,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067880Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.194{761B69BB-818A-607D-0B00-00000000BA01}6324224C:\Windows\system32\lsass.exe{761B69BB-65F6-6080-2E5D-00000000BA01}1404C:\Windows\system32\dllhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067879Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.194{761B69BB-818A-607D-0B00-00000000BA01}6324224C:\Windows\system32\lsass.exe{761B69BB-65F6-6080-2E5D-00000000BA01}1404C:\Windows\system32\dllhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067878Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.082{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067877Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.082{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067876Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.082{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067875Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.082{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067874Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.082{761B69BB-84CF-607D-F002-00000000BA01}43804688C:\Windows\system32\csrss.exe{761B69BB-65F6-6080-2E5D-00000000BA01}1404C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001067873Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.081{761B69BB-65B6-6080-265D-00000000BA01}23046692C:\Users\Administrator\Desktop\64_dllhost.exe{761B69BB-65F6-6080-2E5D-00000000BA01}1404C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+5fc62|C:\Windows\System32\KERNELBASE.dll+5f7f6|C:\Windows\System32\KERNEL32.DLL+1bcc3|UNKNOWN(000000000092E8A9) 154100x80000000000000001067872Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.081{761B69BB-65F6-6080-2E5D-00000000BA01}1404C:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\dllhost.exeC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{761B69BB-84D1-607D-2C9F-1B0000000000}0x1b9f2c2HighMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe"C:\Users\Administrator\Desktop\64_dllhost.exe" 10341000x80000000000000001067871Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.081{761B69BB-818C-607D-1200-00000000BA01}6125508C:\Windows\System32\svchost.exe{761B69BB-65F6-6080-2E5D-00000000BA01}1404C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067870Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.023{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067869Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.023{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067889Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:47.848{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C800030ED96C145959A68B38F5DAC136,SHA256=FA85A91193B8CF769E27DDC130A71B39B9972CE85CB4CCE93D21C3241910BECC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:47.682{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:47.682{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEACE60F68DAAB1759110330EB5C29F7,SHA256=A19D0C7AF060D8C01F10EF441680767B1C907C673C4133A10824244A5ED08E1Ffalsefalse - insufficient disk space 23542300x80000000000000001067888Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:47.795{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\cache2\doomed\23385MD5=5EC7D6468562EB25CEFB27C3CF49496C,SHA256=7746AF6A85DBD38F9420549E1C8ADD0AACA6793CFF04E7272F7FBC8CB3361A37,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001067887Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:42.720{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32529-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001067886Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:47.057{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29C15F1B3EC1D7EBFD04B15204869DD6,SHA256=471C80C596E95D89EE6E5385C62C09385428F81782452B5194D2707C46158360,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067885Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:47.023{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067884Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:47.023{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067898Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:48.960{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=097CA6FD37941E15E9A2D1D4328E9617,SHA256=3864CF137EF9F7DD4381AA3F68C62DAF8DB629ADB46EEF173C2346AAC64D0D9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067897Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:48.857{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C0CE122ADC95C731A49FC2B8995E73,SHA256=DF1889F9AB757173DB05A5BC5D0B19019A6B9228BA8B8F3915F568BAB42AE5B8,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001551571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001551570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001551569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001551568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}\FlagsDWORD (0x00000002) 13241300x80000000000000001551567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}\TtlDWORD (0x000004b0) 13241300x80000000000000001551566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}\SentPriUpdateToIpBinary Data 13241300x80000000000000001551565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}\SentUpdateToIpBinary Data 13241300x80000000000000001551564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}\DnsServersBinary Data 13241300x80000000000000001551563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}\HostAddrsBinary Data 13241300x80000000000000001551562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}\PrimaryDomainNameattackrange.local 13241300x80000000000000001551561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}\AdapterDomainName(Empty) 13241300x80000000000000001551560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}\Hostnamewin-host-5 12241200x80000000000000001551559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC} 12241200x80000000000000001551558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001551557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x80000000000000001551556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001551555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}Binary Data 12241200x80000000000000001551554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal 12241200x80000000000000001551553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x80000000000000001551552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 12241200x80000000000000001551551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x80000000000000001551550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}Binary Data 12241200x80000000000000001551549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal 12241200x80000000000000001551548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x80000000000000001551547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 13241300x80000000000000001551546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}Binary Data 12241200x80000000000000001551545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal 12241200x80000000000000001551544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x80000000000000001551543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 13241300x80000000000000001551542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}Binary Data 12241200x80000000000000001551541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal 12241200x80000000000000001551540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 18141800x80000000000000001551539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480\wkssvcC:\Windows\system32\svchost.exe 12241200x80000000000000001551538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 13241300x80000000000000001551537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}Binary Data 12241200x80000000000000001551536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal 12241200x80000000000000001551535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x80000000000000001551534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 13241300x80000000000000001551533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal\{320C6A4C-772D-4B50-8961-1F66C9B6F4BC}Binary Data 12241200x80000000000000001551532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet\us-west-2.compute.internal 12241200x80000000000000001551531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache\Intranet 12241200x80000000000000001551530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache 12241200x80000000000000001551529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001551528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001551527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001551526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001551525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NetBT 12241200x80000000000000001551524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:48.985{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NetBT 13241300x80000000000000001551523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{320c6a4c-772d-4b50-8961-1f66c9b6f4bc}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001551522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{320c6a4c-772d-4b50-8961-1f66c9b6f4bc}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001551521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{320c6a4c-772d-4b50-8961-1f66c9b6f4bc}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001551520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{320c6a4c-772d-4b50-8961-1f66c9b6f4bc}\LeaseTerminatesTimeDWORD (0x60807408) 13241300x80000000000000001551519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{320c6a4c-772d-4b50-8961-1f66c9b6f4bc}\T2DWORD (0x60807246) 13241300x80000000000000001551518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{320c6a4c-772d-4b50-8961-1f66c9b6f4bc}\T1DWORD (0x60806d00) 13241300x80000000000000001551517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{320c6a4c-772d-4b50-8961-1f66c9b6f4bc}\LeaseObtainedTimeDWORD (0x608065f8) 13241300x80000000000000001551516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{320c6a4c-772d-4b50-8961-1f66c9b6f4bc}\LeaseDWORD (0x00000e10) 13241300x80000000000000001551515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{320c6a4c-772d-4b50-8961-1f66c9b6f4bc}\DhcpServer10.0.1.1 13241300x80000000000000001551514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{320c6a4c-772d-4b50-8961-1f66c9b6f4bc}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001551513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{320c6a4c-772d-4b50-8961-1f66c9b6f4bc}\DhcpIPAddress10.0.1.15 13241300x80000000000000001551512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:50:48.985{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{320c6a4c-772d-4b50-8961-1f66c9b6f4bc}\DhcpInterfaceOptionsBinary Data 11241100x80000000000000001551511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:48.684{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:48.684{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5743FCB8367E03695680A0A4EED2338B,SHA256=AF4D4561736732E4327216249B84F6786FB6F434096877D2BF7CAFC1AFD29618falsefalse - insufficient disk space 354300x80000000000000001067896Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:42.869{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local64496- 22542200x80000000000000001067895Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:42.892{761B69BB-65F6-6080-2E5D-00000000BA01}14045d592eba.pizza.dns.getbobspizza.com08.8.8.8;C:\Windows\system32\dllhost.exe 10341000x80000000000000001067894Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:48.201{761B69BB-819C-607D-2700-00000000BA01}28162468C:\Windows\sysmon64.exe{761B69BB-65F6-6080-2E5D-00000000BA01}1404C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000001067893Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:42.871{761B69BB-65F6-6080-2E5D-00000000BA01}1404win-dc-9820169.254.79.158;10.0.1.14;C:\Windows\system32\dllhost.exe 10341000x80000000000000001067892Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:48.201{761B69BB-819C-607D-2700-00000000BA01}28162468C:\Windows\sysmon64.exe{761B69BB-65F6-6080-2E5D-00000000BA01}1404C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067891Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:48.024{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067890Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:48.024{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:48.183{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:48.183{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8832C73C10C2E0F08103B0FF973246A,SHA256=F7944A1C3E384B77EFA87A9B5AE69983730FF2733C3A7A3E5045A2728BCCB8EEfalsefalse - insufficient disk space 11241100x80000000000000001551507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:48.183{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:48.183{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2A019901202860963BB0B21CBD0D68A,SHA256=26443147BEF855A727EBC5C77A2AEEED7965F117ED9B167F4FA33DDD3E3F7202falsefalse - insufficient disk space 23542300x80000000000000001067903Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:49.864{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC472C525212B2523A2DFC8BFFF5C529,SHA256=008473451421E902C202077C329D56B6068AD4F16298C544AEBA2B299719760A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:49.956{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:49.956{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72D26970EA6C27F379BCD80AD423F3D,SHA256=10F6BD3123E126A17710CE72B04A4E52A6D9D6DC0F555737AB155B0CE4AEF7A4falsefalse - insufficient disk space 10341000x80000000000000001551575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:49.856{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-83A4-607D-0100-00000000BB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 12241200x80000000000000001551574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:50:49.856{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x80000000000000001551573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:50:49.856{21761711-83AE-607D-1400-00000000BB01}480\lsassC:\Windows\system32\svchost.exe 354300x80000000000000001067902Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:44.743{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32530-false10.0.1.12-8000- 23542300x80000000000000001067901Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:49.086{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4562B299C9973C3D9F25E614E3570A03,SHA256=835C7AAFEA4D903FE0303C0A654A6208AD2940BECAD4F6649DBA7D6B67F6E631,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067900Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:49.025{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067899Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:49.025{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001551572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:46.735{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65020-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001067908Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:50.867{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF089783FC7DFEFF52E97743C4DCAE63,SHA256=9104CCA33AE4CD53FB26EE4E247D43D1C66BE60A60625D9AAA2EE0791F7858BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067907Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:50.865{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CFEBF4DF16352170C5B12905B7E6156,SHA256=30664B54F241E83E50EB0DAA71D1F51FFE79252028A9C0DB1DD667ECB72F214A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:50.889{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:50.889{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68761F400978DBF0DCD4E66A7A0E4B67,SHA256=14F8C68DF9F06EA993CD39508DB6165F1082A73D095B21353AF14B08217F7E92falsefalse - insufficient disk space 354300x80000000000000001067906Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:45.664{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal53725- 10341000x80000000000000001067905Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:50.026{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067904Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:50.026{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001551585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:48.546{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:58d1:635f:9ae:ffff-55536-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001551584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:48.546{21761711-83AE-607D-1400-00000000BB01}480C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:e939:94d:a3e8:982dwin-host-5.attackrange.local55536-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000001551583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:48.545{21761711-85C8-607D-5101-00000000BB01}5588C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse239.255.255.250-1900ssdpfalse127.0.0.1win-host-5.attackrange.local52215- 354300x80000000000000001551582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:48.545{21761711-85C8-607D-5101-00000000BB01}5588C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse127.0.0.1win-host-5.attackrange.local52215-false239.255.255.250-1900ssdp 354300x80000000000000001551581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:48.545{21761711-85C8-607D-5101-00000000BB01}5588C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-5.attackrange.local52214-false239.255.255.250-1900ssdp 354300x80000000000000001551580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:48.539{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-5.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 11241100x80000000000000001551579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:50.003{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:50.003{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8832C73C10C2E0F08103B0FF973246A,SHA256=F7944A1C3E384B77EFA87A9B5AE69983730FF2733C3A7A3E5045A2728BCCB8EEfalsefalse - insufficient disk space 23542300x80000000000000001067913Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:51.870{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14EAAD583EBA0D2FF57EAFC88EE2F77,SHA256=222D05A874A07940BE8226849A15B6F5E39777D2C53D72535F46F06355B44B2C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:51.941{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:51.941{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=240F0C20FB0A820A45BDCD04320E0444,SHA256=99326D2B513FF85E57237ACA9386E8E91DB55C9048A107B7F34A9F50FF37229Cfalsefalse - insufficient disk space 354300x80000000000000001067912Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:46.529{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal65021-false10.0.1.14win-dc-982.attackrange.local445microsoft-ds 354300x80000000000000001067911Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:45.665{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52815- 10341000x80000000000000001067910Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:51.026{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067909Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:51.026{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001551588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:49.411{21761711-83A4-607D-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65021-false10.0.1.14-445microsoft-ds 23542300x80000000000000001067916Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:52.921{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA8423DEAB854B29A7723EEC6824F5C,SHA256=1B3FE50FACD170DE50673D2A25D08EA7C65C7ED3C82C5509E9F58A0E77C4A31C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067915Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:52.027{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067914Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:52.027{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:52.994{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:52.994{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D51C3EF5322991EE5988F52D1577CB1E,SHA256=970E2CC99D21F8EEAC92FFDEAE130B504BD437DB25C5DE859475F7FBAB3FB034falsefalse - insufficient disk space 23542300x80000000000000001067927Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:53.984{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6BCBF2D6065AFC398D91D36A448C354,SHA256=5433F55017BB025B4D5343578246D118413B71DCC6203E21F6A252EC9EF2B587,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:53.179{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:53.179{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16ED414EF90E0937EF956C2EF112392,SHA256=A3E5539126EACA520543C68260426199F225FFC7934FCF10419EDF75F2772E26falsefalse - insufficient disk space 10341000x80000000000000001067926Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:53.673{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067925Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:53.673{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067924Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:53.672{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067923Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:53.672{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067922Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:53.672{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067921Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:53.672{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067920Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:53.671{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067919Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:53.660{761B69BB-646C-6080-FB5C-00000000BA01}5716ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-16\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio4703114061513953366.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067918Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:53.028{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067917Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:53.028{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067931Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:54.990{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7201B4B642FC01F34FDAA90C21E07B39,SHA256=6E3D466A02A8D58D6970EBA8B68E50A7A6D954A479FC5ABC698EAA90344DC202,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:51.746{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65022-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001551596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:54.266{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:54.266{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9745C82E470EA109B991A6531DD04AB,SHA256=7B7BDC0E64621F9DB519D9355510D46AE6DEB4E2A516094B2639A457FE5C530Dfalsefalse - insufficient disk space 23542300x80000000000000001067930Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:54.359{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=198A5D5FA8D503E0C2E1EF6EBADC50F9,SHA256=805A5B2CB873E2FCDE5220CD9731B0BE7612C031323788EA1273949771EABAC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067929Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:54.028{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067928Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:54.028{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067938Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:55.998{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143C98E06EE1D026C15DCA426B22D9AC,SHA256=21088E975DAEDA776F5C48A52909F3B960CAA1F8B1F387CB3479D6026F0D8D95,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:55.349{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:55.349{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B957E458125BEC304334A59CE44E5EE,SHA256=46A757D28BBA277C6710065905991398926A56CED14F605C1D4E5C94E201D4B9falsefalse - insufficient disk space 10341000x80000000000000001067937Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:55.434{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067936Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:55.434{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067935Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:55.434{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067934Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:49.872{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32531-false10.0.1.12-8000- 10341000x80000000000000001067933Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:55.029{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067932Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:55.029{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:56.487{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:56.487{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE5EE531CB974AE3ED9480C43853ED0F,SHA256=F5DCAC2C29DC21E9FBD2432D6BDED51BA74A4128680A673F8DA05D5CB91BC6A8falsefalse - insufficient disk space 23542300x80000000000000001067941Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:56.419{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07E2B3FA4562BFD0224FC645304CDED2,SHA256=4BC63D0E1AB16D20826E43FFBA7CE51A581E8186746DDB075A6F3F739078F4FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067940Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:56.029{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067939Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:56.029{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:56.017{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:56.017{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1648F2752ECC0C09C005A1DBF9FE54B0,SHA256=A0D7931E4A53F7EB00127FB16AF04D0C783C3406270FD0A65CF97FEE354FEFA1falsefalse - insufficient disk space 11241100x80000000000000001551605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:57.605{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:57.605{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=924A16AD0218F31C83AFCB4C6A0A2C62,SHA256=D380CA2600D09C46AA899C07D05BBC01E761F1A1B709197F3EDA54896E9A9FF3falsefalse - insufficient disk space 10341000x80000000000000001067944Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:57.030{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067943Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:57.030{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067942Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:57.001{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765F16E948DC1859149B8A05E20913FD,SHA256=BA21604ABFDF3AB24402F3DC23E0EA8D776C6FBD11FF534EA118E45A40DB1D2F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:58.608{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:58.608{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F88D70CF050FFD01525ADAF5A764FCE,SHA256=B9742FD7556BE54209E7773C9FE08860505F3890903DD73BCBDB6EA17F6D8068falsefalse - insufficient disk space 10341000x80000000000000001067955Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:58.907{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067954Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:58.907{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067953Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:58.907{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067952Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:58.907{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067951Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:58.906{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067950Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:58.906{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067949Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:58.906{761B69BB-84D3-607D-0403-00000000BA01}3726960C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067948Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:58.897{761B69BB-646C-6080-FB5C-00000000BA01}5716ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-16\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio18391668484323219234.tmpMD5=7BB72E51DB6DDFCD061489F00F6741D1,SHA256=AD9B85939BAB48885FE52FB86FC23F98F61B219381AB3D332E2077D288CCEBE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067947Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:58.030{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067946Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:58.030{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067945Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:58.005{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB3BA561D345393A4212269977C031E,SHA256=35A8B92F7B0A1B63D051A995FEB9CF4D98543852B0485B58AD1AFE8120E8A952,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:58.291{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:58.291{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2840F1AF24DFCA0A30C9850AD2010AE1,SHA256=C9BCE1019DC79BEF033AE942A9C5BED8650BE165FD90FF1EF65C0CEA51CA43ABfalsefalse - insufficient disk space 11241100x80000000000000001551612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:59.610{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:59.610{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810BD4BF1C8EECD68774752092EF4CA2,SHA256=A5AEEF1D98D8D8F09176EA4CF2385657D4FC535FAAD91C9502015809868D6665falsefalse - insufficient disk space 10341000x80000000000000001067958Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:59.030{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067957Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:59.030{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067956Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:59.012{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515E3506A029E6F14C4848723AA3833C,SHA256=0F2B6FF40D8F7589F5D32C17AE3281B3AE880F28240229AA5E0416F6C356AFDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:50:56.805{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65023-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001551614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:00.644{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:00.644{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3667AF51A42D4A20389B6082E9881E,SHA256=12FE7A07F24B5AD52795931FB6607E56C5B6659936D0C2F921C13DB4EC7C81D7falsefalse - insufficient disk space 10341000x80000000000000001067966Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:00.631{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067965Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:00.630{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067964Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:00.630{761B69BB-84D3-607D-0403-00000000BA01}372672C:\Windows\Explorer.EXE{761B69BB-646C-6080-FB5C-00000000BA01}5716C:\Program Files\OpenJDK\jdk-16\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001067963Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:50:55.757{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32532-false10.0.1.12-8000- 23542300x80000000000000001067962Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:00.119{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AED0AA45E435CEC24806C7C2B18C4994,SHA256=3A182814DB7C70D262A15FF9BEA108BD4F2C236F41B7BEC0368E14A790585FDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067961Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:00.030{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067960Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:00.030{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067959Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:00.016{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88AD72917C64D8BED4F27D6187077F7,SHA256=BE8DB5A5EC4F16267EEBAC36087D6ADB8FC4ED4CD2C611767D5FACBA2D87B613,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:01.646{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:01.646{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574C9E9B12BC70B06907DE2B4C44238B,SHA256=F5D872CE990A61EC7CB5A23F4F083B7B4E4F524119C1EE540306AA37BB20975Dfalsefalse - insufficient disk space 13241300x80000000000000001067980Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-21 17:51:01.950{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001067979Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-21 17:51:01.950{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0b4c81c0) 13241300x80000000000000001067978Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-21 17:51:01.950{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d736ce-0x820c7858) 13241300x80000000000000001067977Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-21 17:51:01.950{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d736d6-0xe3d0e058) 13241300x80000000000000001067976Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-21 17:51:01.950{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d736df-0x45954858) 13241300x80000000000000001067975Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-21 17:51:01.950{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001067974Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-21 17:51:01.950{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0b4c81c0) 13241300x80000000000000001067973Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-21 17:51:01.950{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d736ce-0x820c7858) 13241300x80000000000000001067972Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-21 17:51:01.950{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d736d6-0xe3d0e058) 13241300x80000000000000001067971Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-21 17:51:01.950{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d736df-0x45954858) 23542300x80000000000000001067970Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:01.736{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17169CAE4CE3EA9C10955954A3413A44,SHA256=5D52FC4C7D7AC98FCE8493B98D2C9C67612093A9B3370E920E56A0A3D0C647D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067969Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:01.031{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A124E77BE17E6FBE1EA27C7173777F3,SHA256=9E0A8518669357444A38291C5FFB6CB631E509BBBE3231A3464D0DFAF90BE949,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067968Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:01.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067967Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:01.031{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:02.667{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:02.666{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339B68FE3F84982BD87643F6A5417B04,SHA256=9ABB852FB1C527332B630BC633D8827D40C1069065545BAEE35A838D6AF9ECDDfalsefalse - insufficient disk space 23542300x80000000000000001067983Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:02.039{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A759F643F5DF2424AFFACD60359C541,SHA256=AD14FB0E9E6BC3A01FDA6348B29F42DC716450D2985A54C8DB0E3D020257414F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:02.016{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:02.016{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D0C59C67BE9BF95636A02423E552BC4,SHA256=D97924858B3401FC17E2D2E19363343FC929DDC4A0F66D57B121D5E1974CEF5Bfalsefalse - insufficient disk space 10341000x80000000000000001067982Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:02.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067981Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:02.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:03.769{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:03.768{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00723634798B57E9D4DAB0BB9A7D0EEE,SHA256=37F2BFEEBB4215338B9227B010F94B5DD117C81852FB239455BD058D69AFE0C4falsefalse - insufficient disk space 10341000x80000000000000001067987Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:03.550{761B69BB-818C-607D-0D00-00000000BA01}9046912C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067986Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:03.061{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6912D374B35AB2C26F35CCEFFB823D23,SHA256=66948D364795BE4E6D704D7AD0BF8DE879CBC7B54C3CDB29CDB95F338F2A6EDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067985Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:03.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067984Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:03.032{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:04.771{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:04.771{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86F5BBEB040A086C92171A5056053DD,SHA256=5972F51E74C69AA524AD41AF880C2BF161D09D1F70F7DAE5BC61AADEA5D35FD6falsefalse - insufficient disk space 23542300x80000000000000001067990Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:04.071{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CA49585C328FEFBE9200B2752E902A5,SHA256=D2EB2CC9EAD857B68F2F46C44C49CB88C28DE7C7FF5F8E2A61EE1057A23A6B7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:02.607{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65024-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001551624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:04.073{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:04.073{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5337CCB2D5A4FBFD08560855745D4149,SHA256=7BCE7BFD02F669642DDF7AAFF128F84CEB8AD08ED96AE02887B51CB0E0B80B32falsefalse - insufficient disk space 10341000x80000000000000001067989Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:04.033{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067988Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:04.033{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:05.809{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:05.809{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00712DDF55C23037849B92B9849818E9,SHA256=BC9C34BE7F048A98EAFDA4B6B10BE280BB1A5D92899544A37266E8205679E703falsefalse - insufficient disk space 10341000x80000000000000001067997Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:05.455{761B69BB-84D3-607D-0403-00000000BA01}3723268C:\Windows\Explorer.EXE{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001067996Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:05.455{761B69BB-84D3-607D-0403-00000000BA01}3723268C:\Windows\Explorer.EXE{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001067995Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:05.454{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb4c8f6c.TMPMD5=95E355D75CB9B0A6D076CE414DF2B1F4,SHA256=0C9CCEB014A154B30949E1761541EBBD3B0FC9CC2554B5C0868A7F1CDB481C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067994Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:05.233{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F29FEDF47A33891D264E043D4AD7765E,SHA256=29D652000C19D989D6F0872DB2C01E41D84A4A1240531899B0B4872665354D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001067993Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:05.082{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF6A996E1E76FB49C948A895549DA72,SHA256=BE8066A68F76C8C8C6D5461FCB85AD3928290E96E6ADF4AE68C94E6AF2CE1009,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067992Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:05.034{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067991Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:05.034{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:06.842{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:06.842{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C96FF0780B36DA4DFB7C1CCA01BD0E,SHA256=2D2BD87EA9EB892ED60536C8C7DC1A9FE6DA1E91E1413D1776012FC598ADB56Cfalsefalse - insufficient disk space 354300x80000000000000001068001Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:00.894{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32533-false10.0.1.12-8000- 23542300x80000000000000001068000Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:06.094{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6533F590951481A00D324A9CA564985,SHA256=B2A2185D978CAA8F5728F4D330C587F5E57EDED06CFB26B200CE13FF8E765A82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001067999Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:06.034{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001067998Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:06.034{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:07.878{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:07.878{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759C8FB338BCB8F14766495B9A566497,SHA256=730902B77A646EA2C8DA88E28311318EDA13E360245DB3679EE448F51FD6B6A2falsefalse - insufficient disk space 23542300x80000000000000001068004Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:07.110{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8C4D9A56906825FD2CF51169AE9A88,SHA256=83A0D33062B93D5803C227982DB2C6C9C61EE35661BC13F07A5DFEF8C1125C15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068003Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:07.035{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068002Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:07.035{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001068016Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:08.988{761B69BB-646C-6080-FB5C-00000000BA01}5716ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-16\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\imageio16432686645782841476.tmpMD5=275D85FC45D5242251F92298A81249E2,SHA256=397CB8C6B627C9BA37360DF88A3662D7EE596A741A8B01A65486B196DA211BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001068015Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:08.162{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B491201542690CC48E0448DB63B136,SHA256=64AFAFDFEF1A35BEC146485E052DD894E6B748FF8F6972018C7CBC09B551D770,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001551693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSAllCategories6,10 13241300x80000000000000001551692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSCategoriesSeverities2086 15,827 15,1001 15,2159 10,1000 15,999 15,226 15,1282 50,1338 10,1338 50,1282 10,831 15,1338 15,1282 15,1128 15,2087 15,850 15,1039 15,998 15,828 15,829 15,2088 15,1255 15,830 15,974 15,1249 15,670 15,2159 6,671 15,1002 15,669 15,291 15,1249 10,70 50,1584 50 13241300x80000000000000001551691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds119200081,25036313,19200082,19200084,36577664,24498245,19200085,20312798,36274758,38929627,36274766,36274759,36274767,25228040,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,20833951,40920534,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,50890144,20039441,50890201,40921313,40921312,51680200,19952736,577828117,36487509,577828115,36487503,19200142,19200146,19685471,24404955,24404956,24498243,25036314,38040274,595939597,22382368,25183950 13241300x80000000000000001551690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds08758344,34968335,17134338,19200086,40920709,20039442,18409363,21378256,19972417,19677900,24131419,51655840,17634580,18658649,18375312,23979203,18658648,17698823,17183040,19677907,34968340,18948503,18658650,17650967,21378211,18637650,18674530,9319450,17126295,18948102,21313610,18409416,18948101,36517339,17634578,18400089,36761792,21030802,21378249,20979747,34968342,34968338,50890251,34968337,34968339,24470607,8448079,6366290,38013077,34968341,7690258,34968589,36274763,17182941,24406167,20027008,17182979,20027009,9176926,23205313,7690254,5850584,8263521,17622912,51655839,18208657,5850305,51679313,18405130,51679314,5850582,20770843,8750241,22623970,6170083,23459486,16859363,19182148,17182980,8988293,19933261,5850463,17064074,18400091,19539223,6166345,17334863,38062236,17182943,17182942,6636694,17182981,41976736,5850306,5850583,21378252,7218753,8430030,37048725,25183952,5850062,18384724,17922253,21378246,19182146,6636695,18948499,17182982,21313503,17650969,5850061,21313506,17146274,7692557,18400093,19200088,17650968,19790027,5850307,51196381,17650970,38040275,17650971,19182147,8254547,19182149,18208715,36487501,17698821,18405138,41736099,6137435,19200087,25036311,5850122,24466059,18970753,17698822,8988294,37365058,17846753,17698820,17846730,17106064,17846750,19805648,18400076,17885409,19261452,36507861,135022598,19261450,25036315,21014468,6366030,20998161,20998160,4859234,20998163,36283595,24498246,20998158,34198423,6301592,20730712,41484365,20998159,36517340,6366028,6366025,6366039,50405897,21014467,18405147,18400095,19200078,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,18401416,38293842,9242009,21313504,17102418,21313536,21313507,17376418,21378210,21378243,21378247,21378240,21378248,21378241,21378253,36274765,38293833,36577635,24470550,21378254,18633497,40921221,21378255,7116053,21378245,21561487,17610659,593797656,8750274,7214607,38040271,593797655,17339214,20489431,21587081,21587082,5850824,7997533,5850753,5898849,5898880,5898881,5898884,5898847,22929427,20312797,5898851,8701660,25183951,5898845,18917267,18970755,18917328,36487495,18917326,18949600,19230863,40920589,25228039,18917268,18917269,18970761,36292435,18917271,34198662,20492502,18917330,18949601,22595279,22131171,18711811,573899343,22131207,22131169,22131208,25183953,22853699,19805646,22853700,18948169,17110992,22929425,5587867,23414153,24466061,17962391,19933262,22853712,5850525,24991179,24991180,41158543,51196379,51196380,8263520,17934346,17393553,19207815,18647260,19137989,18970759,24993875,18638031,21313609,21313611,6647824,25036310,17573643,7868952,7463105,7690253,19200035,38293841,17106059,17106060,19200065,17106065,17106063,18400083,36487504,17962113,19744898,40920708,18948501,17184070,24511183,18474530,18625879,18982487,16860185,20547351,20248016,38040268,24651927,18375313,19252294,20547294,7922270,5804129,36274764,36487516,20312793,7202269,23979201,23978014,18679566,17045407,19693829,17184025,36274762,594650054,18400081,8709078,17184068,595174594,18208705,37308099,17334865,17618826,18400075,36487496,18400087,18405132,18405134,19200083,18405136,18405140,18405142,40921218,18405144,36577665,22058587,22074074,8709086,23643035,20484631,18970757,18970763,39965824,577828114,593359442,5601366,17110988,5601367,17962392,18441314,36274757,4289286,26019932,19693830,4317338,19437717,21030738,36274761,22349186,21034758,36495773,37889366,37332947,4859233,17969938,17445650,18208656,18208672,25036312,18208658,17445651,8709120,8709129,8750272,8709089,18621250,50890327,36487497,8709081,16920930,20789191,17134337,589685770,8750242,19200080,50890328,16843347,7214608,18428691,19978123,18647262,577828116,19978122,20026645,18384725,7459348,36487502,18384801,36487498,19744899,36487512,7690256,19732354,5888003,19732353,23979200,18384802,18633496,23729926,18647259,18647261,20026646,17045408,8430031,8254544,51675359,17425365,8747207,17425358,19543137,19543138,19252293,23729931,22070208,592446983,40921166,589685772,8758345,19200034,19200075,19200064,19200076,19200077 12241200x80000000000000001551689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 13241300x80000000000000001551688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data 13241300x80000000000000001551687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000) 12241200x80000000000000001551686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000001551685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000) 13241300x80000000000000001551684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data 12241200x80000000000000001551683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 13241300x80000000000000001551682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\CategoriesBinary Data 13241300x80000000000000001551681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\5DWORD (0x00000000) 12241200x80000000000000001551680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 13241300x80000000000000001551679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\CategoriesBinary Data 13241300x80000000000000001551678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\4DWORD (0x00000000) 12241200x80000000000000001551677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 13241300x80000000000000001551676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\CategoriesBinary Data 13241300x80000000000000001551675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\5DWORD (0x00000000) 12241200x80000000000000001551674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000001551673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000001551672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000001551671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000001551670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 12241200x80000000000000001551669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000001551668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000001551667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000001551666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 12241200x80000000000000001551665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 12241200x80000000000000001551664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000001551663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSAllCategories6,10 13241300x80000000000000001551662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSCategoriesSeverities2086 15,827 15,1001 15,2159 10,1000 15,999 15,226 15,1282 50,1338 10,1338 50,1282 10,831 15,1338 15,1282 15,1128 15,2087 15,850 15,1039 15,998 15,828 15,829 15,2088 15,1255 15,830 15,974 15,1249 15,670 15,2159 6,671 15,1002 15,669 15,291 15,1249 10,70 50,1584 50 13241300x80000000000000001551661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds119200081,25036313,19200082,19200084,36577664,24498245,19200085,20312798,36274758,38929627,36274766,36274759,36274767,25228040,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,20833951,40920534,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,50890144,20039441,50890201,40921313,40921312,51680200,19952736,577828117,36487509,577828115,36487503,19200142,19200146,19685471,24404955,24404956,24498243,25036314,38040274,595939597,22382368,25183950 13241300x80000000000000001551660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor\ULSTagIds08758344,34968335,17134338,19200086,40920709,20039442,18409363,21378256,19972417,19677900,24131419,51655840,17634580,18658649,18375312,23979203,18658648,17698823,17183040,19677907,34968340,18948503,18658650,17650967,21378211,18637650,18674530,9319450,17126295,18948102,21313610,18409416,18948101,36517339,17634578,18400089,36761792,21030802,21378249,20979747,34968342,34968338,50890251,34968337,34968339,24470607,8448079,6366290,38013077,34968341,7690258,34968589,36274763,17182941,24406167,20027008,17182979,20027009,9176926,23205313,7690254,5850584,8263521,17622912,51655839,18208657,5850305,51679313,18405130,51679314,5850582,20770843,8750241,22623970,6170083,23459486,16859363,19182148,17182980,8988293,19933261,5850463,17064074,18400091,19539223,6166345,17334863,38062236,17182943,17182942,6636694,17182981,41976736,5850306,5850583,21378252,7218753,8430030,37048725,25183952,5850062,18384724,17922253,21378246,19182146,6636695,18948499,17182982,21313503,17650969,5850061,21313506,17146274,7692557,18400093,19200088,17650968,19790027,5850307,51196381,17650970,38040275,17650971,19182147,8254547,19182149,18208715,36487501,17698821,18405138,41736099,6137435,19200087,25036311,5850122,24466059,18970753,17698822,8988294,37365058,17846753,17698820,17846730,17106064,17846750,19805648,18400076,17885409,19261452,36507861,135022598,19261450,25036315,21014468,6366030,20998161,20998160,4859234,20998163,36283595,24498246,20998158,34198423,6301592,20730712,41484365,20998159,36517340,6366028,6366025,6366039,50405897,21014467,18405147,18400095,19200078,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,18401416,38293842,9242009,21313504,17102418,21313536,21313507,17376418,21378210,21378243,21378247,21378240,21378248,21378241,21378253,36274765,38293833,36577635,24470550,21378254,18633497,40921221,21378255,7116053,21378245,21561487,17610659,593797656,8750274,7214607,38040271,593797655,17339214,20489431,21587081,21587082,5850824,7997533,5850753,5898849,5898880,5898881,5898884,5898847,22929427,20312797,5898851,8701660,25183951,5898845,18917267,18970755,18917328,36487495,18917326,18949600,19230863,40920589,25228039,18917268,18917269,18970761,36292435,18917271,34198662,20492502,18917330,18949601,22595279,22131171,18711811,573899343,22131207,22131169,22131208,25183953,22853699,19805646,22853700,18948169,17110992,22929425,5587867,23414153,24466061,17962391,19933262,22853712,5850525,24991179,24991180,41158543,51196379,51196380,8263520,17934346,17393553,19207815,18647260,19137989,18970759,24993875,18638031,21313609,21313611,6647824,25036310,17573643,7868952,7463105,7690253,19200035,38293841,17106059,17106060,19200065,17106065,17106063,18400083,36487504,17962113,19744898,40920708,18948501,17184070,24511183,18474530,18625879,18982487,16860185,20547351,20248016,38040268,24651927,18375313,19252294,20547294,7922270,5804129,36274764,36487516,20312793,7202269,23979201,23978014,18679566,17045407,19693829,17184025,36274762,594650054,18400081,8709078,17184068,595174594,18208705,37308099,17334865,17618826,18400075,36487496,18400087,18405132,18405134,19200083,18405136,18405140,18405142,40921218,18405144,36577665,22058587,22074074,8709086,23643035,20484631,18970757,18970763,39965824,577828114,593359442,5601366,17110988,5601367,17962392,18441314,36274757,4289286,26019932,19693830,4317338,19437717,21030738,36274761,22349186,21034758,36495773,37889366,37332947,4859233,17969938,17445650,18208656,18208672,25036312,18208658,17445651,8709120,8709129,8750272,8709089,18621250,50890327,36487497,8709081,16920930,20789191,17134337,589685770,8750242,19200080,50890328,16843347,7214608,18428691,19978123,18647262,577828116,19978122,20026645,18384725,7459348,36487502,18384801,36487498,19744899,36487512,7690256,19732354,5888003,19732353,23979200,18384802,18633496,23729926,18647259,18647261,20026646,17045408,8430031,8254544,51675359,17425365,8747207,17425358,19543137,19543138,19252293,23729931,22070208,592446983,40921166,589685772,8758345,19200034,19200075,19200064,19200076,19200077 12241200x80000000000000001551659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 13241300x80000000000000001551658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data 13241300x80000000000000001551657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000) 12241200x80000000000000001551656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 13241300x80000000000000001551655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data 13241300x80000000000000001551654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000) 12241200x80000000000000001551653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 13241300x80000000000000001551652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\CategoriesBinary Data 13241300x80000000000000001551651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07}\5DWORD (0x00000000) 12241200x80000000000000001551650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 13241300x80000000000000001551649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\CategoriesBinary Data 13241300x80000000000000001551648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473}\4DWORD (0x00000000) 12241200x80000000000000001551647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 13241300x80000000000000001551646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\CategoriesBinary Data 13241300x80000000000000001551645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA}\5DWORD (0x00000000) 12241200x80000000000000001551644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000001551643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000001551642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000001551641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe 12241200x80000000000000001551640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ULSMonitor 12241200x80000000000000001551639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor 12241200x80000000000000001551638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C} 12241200x80000000000000001551637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{DAF0B914-9C1C-450A-81B2-FEA7244F6FFA} 12241200x80000000000000001551636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{BB00E856-A12F-4AB7-B2C8-4E80CAEA5B07} 12241200x80000000000000001551635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{A1B69D49-2195-4F59-9D33-BDF30C0FE473} 12241200x80000000000000001551634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:08.014{21761711-65C9-6080-565E-00000000BB01}3348C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\winword.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4} 10341000x80000000000000001068014Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:08.053{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-660C-6080-2F5D-00000000BA01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068013Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:08.052{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068012Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:08.052{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068011Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:08.052{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068010Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:08.052{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068009Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:08.052{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-660C-6080-2F5D-00000000BA01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001068008Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:08.051{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-660C-6080-2F5D-00000000BA01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001068007Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:08.050{761B69BB-660C-6080-2F5D-00000000BA01}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001068006Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:08.036{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068005Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:08.036{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001068020Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:09.169{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3AAD882D71CF5E87FF9D2CAF8E19A5,SHA256=6E3691D8250D02AC056257C36C8FA28BBFC508E78FDCE40A60CE917F91D2F226,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:07.633{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65025-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001551699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:09.317{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:09.317{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F384B6A5ACF3481BFEE04D6B2E19F03F,SHA256=D219002BF54ABE3EAE4699A55B269760FC40A910512E1E9074472FEF8C48B8D9falsefalse - insufficient disk space 11241100x80000000000000001551697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:09.101{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:09.101{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE1E6673840347AE2C243F3D26A1EA07,SHA256=6855DA36895BFA0715CC34AEF99B5A1065BA9CEA138BFB3551319F9A7232E3B1falsefalse - insufficient disk space 11241100x80000000000000001551695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:09.101{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:09.101{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBA8C18D797C842AEB460E0D8FE2CCE8,SHA256=0DF7B2D04A2FD1F2F84D4B51787D5798470037AB94A934B7FAEB0ECE5A0ADF1Efalsefalse - insufficient disk space 23542300x80000000000000001068019Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:09.054{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9758D879A7EA7EC416963B101BC44CCF,SHA256=58744729D6A2F4D619641923C79988DEF32A82ADE423AFC0648EB71A27740CCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068018Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:09.037{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068017Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:09.037{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001551716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:10.584{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6 13241300x80000000000000001551715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:51:10.584{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,7202269,17102418,41484365,39965824,7153487,17110988,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617 12241200x80000000000000001551714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:10.584{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000001551713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:10.584{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000001551712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:10.584{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata 12241200x80000000000000001551711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:10.584{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry 12241200x80000000000000001551710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:10.584{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common 12241200x80000000000000001551709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:10.584{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0 12241200x80000000000000001551708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:10.584{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office 12241200x80000000000000001551707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:10.584{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft 12241200x80000000000000001551706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:10.584{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software 12241200x80000000000000001551705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:10.584{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 12241200x80000000000000001551704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:51:10.584{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor 12241200x80000000000000001551703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:51:10.584{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe 11241100x80000000000000001551702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:10.119{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:10.119{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FBADDE416C6D8A96ED20FE63F55FB8,SHA256=2DE0FB09D1C2626C3031298D33BB14FF7053B29B1B9DE30E4D32138657597689falsefalse - insufficient disk space 23542300x80000000000000001068023Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:10.177{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD9C1D1E90323F05B7AD17FAB0A4E47,SHA256=9BBFCCF6323460E688A89710C65881E91634F2AD7B2D208BF738E06486CD1B37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068022Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:10.037{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068021Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:10.037{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:11.322{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-04-19 13:20:46.436 23542300x80000000000000001551719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:11.322{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D315E7757B5B58249B8AA5436C09B63F,SHA256=AF9F465054E1076A462545E95E8AA9E85A9A5210288877077179033789EDE6EAfalsefalse - insufficient disk space 11241100x80000000000000001551718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:11.291{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:11.291{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5FE18A59F7CC1B9E2C4563FAD2BC63,SHA256=A1B628D84D717540E291B2A04991633B44F9ED38BB12CAC9E33BD96861B167DBfalsefalse - insufficient disk space 10341000x80000000000000001068047Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.809{761B69BB-660F-6080-315D-00000000BA01}62726920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068046Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.664{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-660F-6080-315D-00000000BA01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068045Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.662{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068044Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.662{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068043Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.662{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068042Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.662{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068041Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.661{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-660F-6080-315D-00000000BA01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001068040Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.661{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-660F-6080-315D-00000000BA01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001068039Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.661{761B69BB-660F-6080-315D-00000000BA01}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001068038Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.655{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068037Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.639{761B69BB-818A-607D-0B00-00000000BA01}632760C:\Windows\system32\lsass.exe{761B69BB-660F-6080-305D-00000000BA01}384C:\Windows\system32\dllhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068036Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.639{761B69BB-818A-607D-0B00-00000000BA01}632760C:\Windows\system32\lsass.exe{761B69BB-660F-6080-305D-00000000BA01}384C:\Windows\system32\dllhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068035Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.528{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068034Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.528{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068033Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.527{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068032Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.527{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068031Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.527{761B69BB-84CF-607D-F002-00000000BA01}43804688C:\Windows\system32\csrss.exe{761B69BB-660F-6080-305D-00000000BA01}384C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001068030Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.527{761B69BB-65B6-6080-265D-00000000BA01}23046692C:\Users\Administrator\Desktop\64_dllhost.exe{761B69BB-660F-6080-305D-00000000BA01}384C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+5fc62|C:\Windows\System32\KERNELBASE.dll+5f7f6|C:\Windows\System32\KERNEL32.DLL+1bcc3|UNKNOWN(000000000092E8A9) 154100x80000000000000001068029Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.527{761B69BB-660F-6080-305D-00000000BA01}384C:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\dllhost.exeC:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{761B69BB-84D1-607D-2C9F-1B0000000000}0x1b9f2c2HighMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exe"C:\Users\Administrator\Desktop\64_dllhost.exe" 10341000x80000000000000001068028Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.526{761B69BB-818C-607D-1200-00000000BA01}6125508C:\Windows\System32\svchost.exe{761B69BB-660F-6080-305D-00000000BA01}384C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001068027Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.183{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8C50B8F3BB163561E49867D6BEF5A1,SHA256=3C17051825682C55A9792BBDC5A6BD8E5AA27B20AF2134EC7CEDD820BCEE9B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001068026Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.076{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F62B05AFD26B1DA2706EB20EF20D423B,SHA256=7D3336D3B87556736C170BD955F086B21006F09CB08FB48785FBC1144A4A9D69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068025Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.038{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068024Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:11.038{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:12.324{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:12.324{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A76182664A53AC0FCC2BF7757B4E32C,SHA256=93C6E58EF964467EC4F5B0C1FD68BAA1CA68F1304333F2A4402E9D98BAB37B13falsefalse - insufficient disk space 10341000x80000000000000001068068Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.996{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6610-6080-335D-00000000BA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068067Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.994{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068066Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.994{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068065Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.994{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068064Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.994{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068063Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.994{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-6610-6080-335D-00000000BA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001068062Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.994{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6610-6080-335D-00000000BA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001068061Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.993{761B69BB-6610-6080-335D-00000000BA01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001068060Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.668{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4877FCC1B067D298CC4685F37995C53,SHA256=41942D3E43E870012BAEDB7E1ACFA83FD204999AA127A7D100CB73023911E573,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001068059Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:06.773{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32534-false10.0.1.12-8000- 10341000x80000000000000001068058Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.328{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6610-6080-325D-00000000BA01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068057Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.327{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068056Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.327{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068055Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.326{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068054Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.326{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068053Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.326{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-6610-6080-325D-00000000BA01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001068052Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.326{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6610-6080-325D-00000000BA01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001068051Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.325{761B69BB-6610-6080-325D-00000000BA01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001068050Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.191{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2373367FF57BE634DE13561DC773E39D,SHA256=0B8C05BDF15E8B1B11BCD77654D1AFB3754FA46BEA34AB81DBC7D7898EE95B5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068049Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068048Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:13.512{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:13.512{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC45824BB5BF58161C98FA9ED8879A3,SHA256=B5AE26DE2D638E9307540C1228E36768C7CFC414FBDF71A2CF9C356E1B1F2E41falsefalse - insufficient disk space 22542200x80000000000000001068078Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:08.317{761B69BB-660F-6080-305D-00000000BA01}384win-dc-9820169.254.79.158;10.0.1.14;C:\Windows\system32\dllhost.exe 10341000x80000000000000001068077Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:13.658{761B69BB-819C-607D-2700-00000000BA01}28162468C:\Windows\sysmon64.exe{761B69BB-660F-6080-305D-00000000BA01}384C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16495|C:\Windows\sysmon64.exe+16778|C:\Windows\sysmon64.exe+16aae|C:\Windows\sysmon64.exe+1a5ae|C:\Windows\sysmon64.exe+5ea0|C:\Windows\sysmon64.exe+6037|C:\Windows\System32\sechost.dll+10a75|C:\Windows\System32\sechost.dll+1004d|C:\Windows\System32\sechost.dll+fe55|C:\Windows\System32\sechost.dll+ed3f|C:\Windows\sysmon64.exe+6213|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001068076Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:08.331{761B69BB-660F-6080-305D-00000000BA01}384C:\Windows\system32\dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32536-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x80000000000000001068075Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:13.360{761B69BB-819C-607D-2700-00000000BA01}28162336C:\Windows\sysmon64.exe{761B69BB-660F-6080-305D-00000000BA01}384C:\Windows\system32\dllhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ntdll.dll+6cd0a|C:\Windows\System32\KERNEL32.DLL+1cff8|C:\Windows\System32\KERNEL32.DLL+25a87|C:\Windows\sysmon64.exe+14ced|C:\Windows\sysmon64.exe+15adb|C:\Windows\sysmon64.exe+16c29|C:\Windows\sysmon64.exe+1abb1|C:\Windows\sysmon64.exe+1cfc7|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068074Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:13.360{761B69BB-819C-607D-2700-00000000BA01}28162336C:\Windows\sysmon64.exe{761B69BB-660F-6080-305D-00000000BA01}384C:\Windows\system32\dllhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\sysmon64.exe+2682c|C:\Windows\sysmon64.exe+1cc6d|C:\Windows\sysmon64.exe+1d392|C:\Windows\sysmon64.exe+1d4a5|C:\Windows\sysmon64.exe+b0519|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001068073Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:08.167{761B69BB-65B6-6080-265D-00000000BA01}2304C:\Users\Administrator\Desktop\64_dllhost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local32535-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001068072Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:13.204{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64308FE58A1110B8B646AFC17DCA9058,SHA256=4E1BFA49B6C7C1FB18655844331D4E99B50703AAB7CE2140A255AB37961B8FCE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:13.211{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000001551723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:13.211{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 10341000x80000000000000001068071Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:13.129{761B69BB-6610-6080-335D-00000000BA01}33206676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068070Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:13.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068069Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:13.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001551732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:12.743{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65027-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x80000000000000001551731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:12.642{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65026-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001551730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:14.530{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:14.530{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E75C1770489C987434E06E465AF366,SHA256=DF4FAEE81F1BC169A35B269F1F1184D0B38BE49F7E8A3ADB001B96C138A9B678falsefalse - insufficient disk space 23542300x80000000000000001068082Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:14.208{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED5199A94C8EA7CF3E05636796AED2E,SHA256=737B851B4CD0B219D82E6044F6265BA12B60207657F8D6021C21B5178D3E160C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:14.094{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:14.094{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE1E6673840347AE2C243F3D26A1EA07,SHA256=6855DA36895BFA0715CC34AEF99B5A1065BA9CEA138BFB3551319F9A7232E3B1falsefalse - insufficient disk space 10341000x80000000000000001068081Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:14.040{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068080Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:14.040{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001068079Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:14.000{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDA54116D97EABE8E7FAD10AAC1E7E6B,SHA256=43A0A8B14B7BBB46577A09FFA7C56C282A2337F861CEC42AD19F15CA5FDF9770,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:15.733{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:15.733{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AB081A049B2690C9F57CB720A63146,SHA256=20B4FB8C30731CC97D5F1BDA7F9E6EA164E34FA7B848FD496625739D23FEA187falsefalse - insufficient disk space 23542300x80000000000000001068085Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:15.214{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79FA52751499253EF28562AB21F1D30,SHA256=6EA9B30C5D92EA5DDC6D35264C80B3CC75D11157096B6B842E45DC353CC124E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068084Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:15.041{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068083Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:15.041{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:16.735{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:16.735{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD5216C7B09793064EC54997A74E4E8,SHA256=4D56CC6A3B584C0D16A8B3FD6957449BACC60747731C46D3018E3CD80127A7D5falsefalse - insufficient disk space 23542300x80000000000000001068089Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:16.237{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D55AD60FF5151103CA13B17370CF4F3A,SHA256=8943C7E1C60D1BC871A9FDA5D22568A5088A2355E89B57C6EE99D6D63DD573D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001068088Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:16.217{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E749D7F935A8599A6D46CAAFF6D6A6B,SHA256=98FB68C207318C88B95BBFD96989A8EB9D6569CEA478B3EB837C1E8424DFFA37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068087Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:16.042{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068086Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:16.042{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:17.738{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:17.738{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A40DD5AC75B94492A181CA372355B25,SHA256=97999E0159FFDCCE42AB063C4758E18BB19E4FB80C49554B4DB902419098140Ffalsefalse - insufficient disk space 22542200x80000000000000001068093Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.634{761B69BB-65F6-6080-2E5D-00000000BA01}14045d592eba.c2.dns.getbobspizza.com08.8.8.8;C:\Windows\System32\dllhost.exe 23542300x80000000000000001068092Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:17.230{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638A0765E10BD2B0B1763BFA8ACE2FC4,SHA256=D3240FFDD26E7039F45ACE02B2B71AB17B87447E21B5542D82EF7005B57860F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068091Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:17.042{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068090Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:17.042{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:18.840{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:18.840{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4C9439AFFB31501734DEDEA9F4090F,SHA256=EF8D6C4946268703349275AFEC194E3D4793FF419A1974464E0EA954305E7C24falsefalse - insufficient disk space 354300x80000000000000001068097Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:12.673{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32537-false10.0.1.12-8000- 23542300x80000000000000001068096Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:18.245{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C9BAA8EEBDA574A3E19902006F292E,SHA256=B87436441E15C613C4A69F987411DAFB79AF0017E76FCCB48F2256F65FD7E288,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068095Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:18.043{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068094Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:18.043{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:19.874{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:19.874{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5437F09584A871049986B65CE96CD295,SHA256=35F11EC6EA5C78DB16EB3420928576D4DA14A16834E0F58EF89DD7A24610ADE3falsefalse - insufficient disk space 23542300x80000000000000001068100Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:19.259{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76CB7E6F8865106F155A885A06F8F856,SHA256=4929A200B02F19D7C5D5D9B3CB52C36D1444B235465CBD7BBC47ACF357B473C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068099Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:19.044{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068098Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:19.044{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:20.876{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:20.876{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986BDB073685218FB5ADF97EAD8E1AF8,SHA256=4EC519FB9118874F4EB52CBCB4DE65A02865A40B7781E1353918E09100BBB86Efalsefalse - insufficient disk space 10341000x80000000000000001068112Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:20.650{761B69BB-6618-6080-345D-00000000BA01}61046824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068111Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:20.499{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6618-6080-345D-00000000BA01}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068110Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:20.497{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068109Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:20.497{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068108Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:20.497{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068107Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:20.497{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068106Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:20.497{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-6618-6080-345D-00000000BA01}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001068105Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:20.496{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6618-6080-345D-00000000BA01}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001068104Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:20.496{761B69BB-6618-6080-345D-00000000BA01}6104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001068103Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:20.271{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C8B1A37B99C87B1E1425C7ACCFDBB8,SHA256=23FE89AABD9273A88501E9042A5B396DA67ECE6F9686D4F5130E62CCA7B12954,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:18.642{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65028-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001551746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:20.108{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:20.108{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD2B33D8E942E6C201E991986A980766,SHA256=D6ACA587B9B397AB9F60FA317E1FC618E34F122DA36D049864113498550E3B5Cfalsefalse - insufficient disk space 11241100x80000000000000001551744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:20.108{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:20.107{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5D4BE1E0AD70EB895475B2477E9CD02,SHA256=D7ABA5D2E9C260F7C46FD6D574C33AE641AB78D7B0CC4EDC1286757363788873falsefalse - insufficient disk space 10341000x80000000000000001068102Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:20.045{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068101Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:20.045{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068134Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.847{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6619-6080-365D-00000000BA01}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068133Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.846{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068132Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.846{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068131Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.846{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068130Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.845{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068129Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.845{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-6619-6080-365D-00000000BA01}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001068128Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.845{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6619-6080-365D-00000000BA01}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001068127Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.845{761B69BB-6619-6080-365D-00000000BA01}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001068126Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.608{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F12B8B73072BDA9629670504CABFF633,SHA256=614B291ED7F13F65D4F9FA072885E3F9F0844FA0F9708B8E90B354CBB4643088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001068125Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.607{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5207FAE91D724BC136607FE734F6CDD4,SHA256=3D1E09767625F9522E8E347E43CFF80FF824E4DE7FFDFA5C018E367A784145DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068124Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.314{761B69BB-6619-6080-355D-00000000BA01}63486340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001068123Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.288{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B140393FB93D5BBF97F431948C22B5,SHA256=E0A89FDF96770FDC5BB4EA7C235E4FE68E4A12561C0C4CECCC0FF2AF6D3716AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068122Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.179{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6619-6080-355D-00000000BA01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068121Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.177{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068120Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.177{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068119Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.176{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068118Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.176{761B69BB-818C-607D-0C00-00000000BA01}8442240C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068117Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.176{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-6619-6080-355D-00000000BA01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001068116Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.176{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6619-6080-355D-00000000BA01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001068115Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.175{761B69BB-6619-6080-355D-00000000BA01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001068114Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.045{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068113Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:21.045{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:22.095{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:22.095{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5C4D9643ADC31B84FD511542CBE2C3,SHA256=D8BA32D4F580ED45C14397EC7D340BBF87328623CA114A8C6546A65E33AC9539falsefalse - insufficient disk space 23542300x80000000000000001068137Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:22.294{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E422E1DC1FA7F707D48104AECEB3B3,SHA256=DC99C990B85AF39A02180F16ED9A6E298D6D92918A116231847B24EDB9BE0DEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068136Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:22.046{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068135Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:22.046{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:23.115{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:23.115{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C160867726D19B0162DCEA4C81949FC,SHA256=D732F186A75F1BC204D85433436C57E8C7CE8D489FCC75E872E91DF77C8C7BEFfalsefalse - insufficient disk space 354300x80000000000000001068142Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:17.811{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32538-false10.0.1.12-8000- 23542300x80000000000000001068141Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:23.301{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B64A9C9859B7BB0DF1D358E71EC866,SHA256=CB47CFF1E2E588BF76C389DAB73288FD5560F937B6C9D674D5057DE59E557C87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001068140Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:23.076{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F12B8B73072BDA9629670504CABFF633,SHA256=614B291ED7F13F65D4F9FA072885E3F9F0844FA0F9708B8E90B354CBB4643088,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068139Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:23.046{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068138Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:23.046{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001068145Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:24.320{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4C080B8770A4F5DEC68F91D554E3CF,SHA256=922B049CFC11EB35F641DF6D9830465F9D82CB94929D43389DE6BBF1A2161530,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:24.318{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:24.318{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36591D1144C9015CBF6DC897424EF875,SHA256=724E4E212B466C394EDF2BBB246921ED1CFE9D43ECA61BD29994D7C3D2154227falsefalse - insufficient disk space 10341000x80000000000000001068144Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:24.047{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068143Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:24.047{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001068151Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:20.751{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local32539-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 354300x80000000000000001068150Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:20.751{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local32539-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap 23542300x80000000000000001068149Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:25.327{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59F08E8A294B066FD95571673E074EE,SHA256=9BC4E42E4E696174701A617FF66E6F518464CE06E349646768E96468270F9F20,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001551762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:23.691{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65029-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001551761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:25.321{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:25.321{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD74937A439000306B180956B74191F,SHA256=A8D4F6C6950299E66EBA71492AD5FE7EF71D9FACC3F607F7487A586264F5FB60falsefalse - insufficient disk space 23542300x80000000000000001068148Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:25.306{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54BAE33577B91FB426864EFB0A38D117,SHA256=D631ED7F86ECC289FB626B2219E7B78EE4E58A0E729DD2986488B7004C364F76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068147Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:25.048{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068146Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:25.048{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:25.140{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:25.140{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9496764B75EC1E40F6A6C6401265924,SHA256=3F75D9B7AE15F4EC3F9F7CD4D3181857EF4A407DB022EB0606EDEA7FB9EC2F30falsefalse - insufficient disk space 11241100x80000000000000001551757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:25.140{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:25.140{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD2B33D8E942E6C201E991986A980766,SHA256=D6ACA587B9B397AB9F60FA317E1FC618E34F122DA36D049864113498550E3B5Cfalsefalse - insufficient disk space 11241100x80000000000000001551807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.459{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.459{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FDF79A3011CCF0268ADEECE1B9102EB,SHA256=8DC3179B017B0E1EF235DA8FE5E077333157EF5E4202B48297A58365BFC0FCD2falsefalse - insufficient disk space 23542300x80000000000000001068155Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:26.358{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D06C7AE60F6E93004461724916E8230A,SHA256=81296D3977E21126DC89189645400E8666E08DCEFF65ECF72F5EBEC94A083E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001068154Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:26.334{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31564756103D2F043306D754DD11F42,SHA256=0F0FB6D083B6ACAE7158C0339C93AACC93EF0A0A856E3EB8E4F591D0879973C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068153Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:26.048{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068152Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:26.048{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D1-607D-0101-00000000BB01}4292C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84D0-607D-0001-00000000BB01}5072C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001551763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:26.142{21761711-83AE-607D-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{21761711-84C8-607D-ED00-00000000BB01}2568C:\Windows\system32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.561{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.561{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C79CE182CEA8137825892806D77A515,SHA256=17438BF98B66F1AD811D24D526B0062121E979870F8F8D678A814A6FB246D18Ffalsefalse - insufficient disk space 23542300x80000000000000001068158Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:27.344{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE186A0B5FE9AF431160A7EDC10434D8,SHA256=48CA4AEE14EB300C14D91CB4AB38B890DB98F0A7FB6F6362F10CFC71281AB016,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001551863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.160{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001551862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.160{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001551861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.145{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001551860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.145{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001551859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.029{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001551858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.029{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001551857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.029{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001551856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:27.029{21761711-661F-6080-605E-00000000BB01}8172\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001551855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.029{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001551854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:27.029{21761711-661F-6080-605E-00000000BB01}8172\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x80000000000000001551853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.029{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001551852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.029{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001551851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.029{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001551850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.029{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001551849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.029{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001551848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.029{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001551847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.028{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001551846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.028{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001551845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.028{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001551844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.027{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001551843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.027{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001551842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.027{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001551841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.027{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001551840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.027{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001551839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.027{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001551838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.027{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001551837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.027{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001551836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.027{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001551835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.026{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001551834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.026{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001551833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.026{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001551832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.026{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001551831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.026{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001551830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.026{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001551829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.026{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001551828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.026{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001551827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.025{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001551826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.025{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001551825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.025{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001551824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.025{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001551823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.025{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x80000000000000001551822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.025{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001551821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.024{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.024{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001551819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.023{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001551818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.023{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001551817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.023{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x80000000000000001551816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.022{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.007{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:27.007{21761711-661F-6080-605E-00000000BB01}8172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001551813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:27.007{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:27.007{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:27.007{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:27.007{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:27.007{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:27.007{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x80000000000000001068157Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:27.049{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068156Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:27.049{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:28.579{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:28.579{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8670E5010A6C6149276922C85F2B71AF,SHA256=9119050F51F8EAC47479561BCF6CCEA980E4B7DDBCA44BB8DD7CE4D653939EC3falsefalse - insufficient disk space 354300x80000000000000001068163Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:23.689{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32540-false10.0.1.12-8000- 23542300x80000000000000001068162Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:28.348{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FDE9E970B8DBC0A19CB617A5BE8143E,SHA256=1DF8BA01354BE0403D58BEB7203832DF7DCBBB440CFF549ACECA95825CD5D790,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:28.029{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:28.029{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9496764B75EC1E40F6A6C6401265924,SHA256=3F75D9B7AE15F4EC3F9F7CD4D3181857EF4A407DB022EB0606EDEA7FB9EC2F30falsefalse - insufficient disk space 10341000x80000000000000001068161Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:28.050{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068160Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:28.050{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001068159Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:28.024{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C43BCA1B779996F694AB29FDD6FF5C50,SHA256=335DA03A5508789A29B9F3A27067D1E473B30CDBDD3E5476F313D0F3C1D5D8A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001551871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:29.582{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:29.582{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89638955617A1E9A088A5B9BBEA9ACDF,SHA256=167DB07A467F5058CB11BB97F68D8ABCDE06030F0272469E8D47BFE92538D23Efalsefalse - insufficient disk space 23542300x80000000000000001068167Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:29.869{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001068166Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:29.351{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C44BE5B62A3FAC124D4983495B504A0,SHA256=BACBBB5E77EFB360A746A0C1AEA4E7C27C6A4177BB09F55D98647371C6BD9F5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068165Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:29.051{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068164Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:29.051{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001551873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:30.584{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:30.584{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF25F9FB5C89B1721ED925D9A11DDC2B,SHA256=C8BC5791F6476DEACA4E91330FA19A11916DE15370F42C158F4F55D3685EA0AAfalsefalse - insufficient disk space 23542300x80000000000000001068171Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:30.934{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AD2B43EC3497E95F7D3A897BA60BCFD,SHA256=318156702385913A4A3A4A32E5FC85FAED7D8A2508507098B125E6BB8DB79348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001068170Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:30.357{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9D2339A2472E3652B2FB92BE6DDAB9,SHA256=4726C9BBE3CC70D427BCE93333079AD895E06D30A161B5CC905B66E702CE2BFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068169Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:30.051{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068168Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:30.051{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001068175Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:26.533{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local32541-false10.0.1.12-8089- 23542300x80000000000000001068174Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:31.377{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575445E2F84678255DC3CBC966BC1791,SHA256=D03F884B37ACBB0AE61C03B430C000F0D04878F458D7068A4621DC942E7CB486,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001551995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.919{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001551994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.919{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001551993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.919{21761711-6623-6080-625E-00000000BB01}70403452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.919{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001551991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.919{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001551990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.803{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001551989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.803{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001551988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.803{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001551987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:31.803{21761711-6623-6080-625E-00000000BB01}7040\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001551986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.803{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001551985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:31.803{21761711-6623-6080-625E-00000000BB01}7040\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x80000000000000001551984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.803{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001551983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001551982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001551981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001551980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001551979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001551978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001551977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001551976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001551975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001551974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001551973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001551972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001551971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001551970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001551969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001551968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001551967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001551966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001551965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001551964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001551963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001551962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001551961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001551960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001551959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001551958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001551957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001551956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001551955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001551954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001551953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001551951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001551950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001551949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x80000000000000001551948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.787{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.775{21761711-6623-6080-625E-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001551945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:31.772{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:31.772{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:31.772{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:31.772{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:31.772{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:31.772{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001551939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.772{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001551938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.772{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF05D862FC4BB55E2BB84AB4E4D569DF,SHA256=71C59362A3715811922D795C0ED9B7EBACEBB9E422446319B0BE3772181F6219falsefalse - insufficient disk space 534500x80000000000000001551937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.735{21761711-65C9-6080-585E-00000000BB01}7368C:\Windows\System32\wbem\WmiPrvSE.exe 354300x80000000000000001551936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:29.684{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local65030-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x80000000000000001551935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.317{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001551934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.317{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001551933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.317{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001551932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.317{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001551931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.201{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001551930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.201{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001551929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001551928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001551927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001551926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x80000000000000001551925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001551924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001551923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001551922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001551921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001551920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001551919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001551918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001551917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001551916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001551915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001551914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001551913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001551912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001551911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001551910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001551909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001551908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001551907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001551906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001551905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001551904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001551903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001551902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001551901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001551900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001551899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000001551898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001551897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001551896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x80000000000000001551895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000001551894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001551893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001551892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001551891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001551890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x80000000000000001551889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001551888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001551887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001551886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001551885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x80000000000000001551884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.186{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001551883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.170{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001551882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.171{21761711-6623-6080-615E-00000000BB01}5848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001551881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:31.170{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:31.170{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:31.170{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:31.170{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:31.170{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:31.170{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001551875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.134{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:31.134{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2140352BBB57E97ADE2E7C3D1342BDFA,SHA256=19B465CB16D6742E16592F8C2057EA87D76CA9E48A1CDE501EA22857E114EBBDfalsefalse - insufficient disk space 10341000x80000000000000001068173Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:31.051{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068172Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:31.051{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001552058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.774{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001552057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.774{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2449765DFCF59F2512B0BE47AF739A97,SHA256=193EDAC13EE1137B92297D5E290149C61A3CD9B97BE1C2C0A5A9118A2FFD6BA4falsefalse - insufficient disk space 23542300x80000000000000001068178Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:32.382{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69764D6F139FFA9A6F25C754C4964E94,SHA256=3418BB21777F2C2BD761852F909BAD5F06E6A5E4741B721D3F0A6D4F72B93DEE,IMPHASH=00000000000000000000000000000000falsetrue 534500x80000000000000001552056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.520{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001552055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.520{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x80000000000000001552054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.520{21761711-6624-6080-635E-00000000BB01}33327504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001552053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.520{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001552052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.520{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x80000000000000001552051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.420{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001552050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.420{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260BEB29AFF32588D424190348FD9E50,SHA256=E28F8C3EFDA726CB0D4CB4E220F715E92FFAC3DE04BE43C668DB652CD6DE7E49falsefalse - insufficient disk space 734700x80000000000000001552049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001552048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001552047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001552046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001552045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001552044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x80000000000000001552043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001552042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001552041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001552040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001552039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001552038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001552037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001552036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001552035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001552034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001552033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001552032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001552031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001552030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001552029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001552028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001552027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001552026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001552025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001552024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001552023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001552022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001552021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001552020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001552019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001552018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001552017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001552016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001552015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 10341000x80000000000000001068177Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:32.051{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068176Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:32.051{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001552014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001552013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001552012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 10341000x80000000000000001552011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001552010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001552009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001552008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001552007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x80000000000000001552006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.389{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001552005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.373{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001552004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.374{21761711-6624-6080-635E-00000000BB01}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001552003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:32.373{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001552002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:32.373{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001552001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:32.373{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001552000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:32.373{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001551999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:32.373{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001551998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:32.373{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001551997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.173{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001551996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:32.173{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88D5F0D97A42C0D6996B74AA7838F654,SHA256=E535CF65131D8F10D1787B99672B58D61057CC0766425773F3537C79FF5ABC28falsefalse - insufficient disk space 734700x80000000000000001552168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001552167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001552166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001552165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001552164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001552163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x80000000000000001552162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001552161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001552160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001552159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001552158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001552157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001552156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001552155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001552154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001552153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001552152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001552151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001552150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001552149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001552148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001552147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001552146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001552145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.761{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001552144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001552143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001552142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001552141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001552140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001552139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001552138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001552137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001552136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001552135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001552134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001552133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001552132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001552131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001552130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001552129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001552128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001552127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001552126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x80000000000000001552125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001552124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.745{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001552123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.740{21761711-6625-6080-655E-00000000BB01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001552122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:33.739{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001552121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:33.739{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001552120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:33.739{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001552119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:33.739{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001552118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:33.739{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001552117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:33.739{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x80000000000000001552116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.407{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001552115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.407{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B7677D8D67470BF9E138A61FC54DC4D,SHA256=56E7E32E45F2704FB0FE1075BA75872F60FEB0E02C5A2680526AE630ED9F104Afalsefalse - insufficient disk space 534500x80000000000000001552114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.206{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001552113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.206{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001552112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.206{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x80000000000000001552111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.206{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x80000000000000001552110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001552109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001552108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x80000000000000001552107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001552106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x80000000000000001552105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x80000000000000001552104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x80000000000000001552103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x80000000000000001552102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x80000000000000001552101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x80000000000000001552100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001552099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x80000000000000001552098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001552097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x80000000000000001552096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001552095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x80000000000000001552094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x80000000000000001552093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x80000000000000001552092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001552091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x80000000000000001552090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x80000000000000001552089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x80000000000000001552088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001552087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x80000000000000001552086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001552085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001552084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x80000000000000001552083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x80000000000000001552082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x80000000000000001552081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001552080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001552079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001552078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001552077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001552076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001552075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001552074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001552073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x80000000000000001552072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001552071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001552070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001552069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001552068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x80000000000000001552067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.075{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001552066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.059{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001552065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:51:33.060{21761711-6625-6080-645E-00000000BB01}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x80000000000000001552064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:33.059{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001552063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:33.059{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001552062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:33.059{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001552061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:33.059{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x80000000000000001552060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:51:33.059{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x80000000000000001552059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:51:33.059{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x80000000000000001068181Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:33.169{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C863B8CD57DC6486F06702BCE4B5A5D2,SHA256=A52409ACD93BDF0CE4AADC59AF881A6D376BD5A00883DDFE41A34CF724828E24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001068180Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:33.052{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001068179Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:51:33.052{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781