11241100x80000000000000002441884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:41.602{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:41.602{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F569C7DEEF69607AB3DBF1C73E796AF,SHA256=82DF96FD157551850B210EF5865DAE0C721C12169E720DFF2C3F452BCADCF601falsefalse - insufficient disk space
23542300x80000000000000001527466Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.545{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CD32CDCB3D3C322313AD519D954B3F,SHA256=E871F128C456ABEB825C13B42A054060CD07E8FCB84E14B8A739B3F1BA7EB5C9,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002441882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:41.284{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774
23542300x80000000000000002441881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:41.284{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space
10341000x80000000000000001527465Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.315{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527464Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.315{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527463Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.315{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527462Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527461Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527460Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527459Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527458Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527457Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527456Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527455Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527454Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527453Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527452Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2900-00000000BA01}2920C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527451Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527450Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527449Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.314{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527448Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527447Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527446Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527445Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527444Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527443Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527442Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527441Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527440Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527439Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527438Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527437Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527436Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527435Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527434Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.313{761B69BB-818C-607D-0D00-00000000BA01}904924C:\Windows\system32\svchost.exe{761B69BB-88A9-6081-637F-00000000BA01}5836C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527433Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.111{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527432Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:41.111{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002441888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:42.605{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:42.605{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9181D7374044F75A71A2A4FBAB8D1D,SHA256=05E7A16DAEED7E3389DA35AD36087E099CAF2EA3D1E3E2E9F5D8316E5D45097Cfalsefalse - insufficient disk space
23542300x80000000000000001527469Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:42.551{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9DBDDB57C38D70460EF6C217A6AB225,SHA256=C614422220345C1B2A06C54308DCBD00D1BE1B74B48B7AD3284AE8815BEDF21E,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002441886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:42.266{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002441885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:42.266{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8B9D5C22DBBBD908C1F04240CE05EA6,SHA256=36026BD8905EC95FA4084CE468C57A298496051BE0DE782C4886DA30C2A778ADfalsefalse - insufficient disk space
10341000x80000000000000001527468Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:42.112{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527467Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:42.112{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002441891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:43.607{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:43.607{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095C620036025894CA8FC02118B47FDF,SHA256=12475048E861F295ADAC04C475655A69BB4F9F107E6CC74580F5E896BA14A623falsefalse - insufficient disk space
23542300x80000000000000001527472Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:43.554{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555E9F171C17E51AD681759CD4A7D532,SHA256=7D158AC268A5D04408543A7E24B73652DFDB2E48FF3E8B26E08F807A9303D47A,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000002441889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:40.741{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49255-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089-
10341000x80000000000000001527471Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:43.113{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527470Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:43.113{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002441895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:44.610{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:44.610{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4B8A81929E0EBCE9544631160C1F8B,SHA256=7D0DB2E810FC8C039EED576429E5C1FBBB8ACB0481227601B5150F592F2D2147falsefalse - insufficient disk space
23542300x80000000000000001527475Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:44.557{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EA724C47A0C3B0261490ED28DBFCF3,SHA256=1435D81422CCC25D1562DBF98902F435720545FD5777C99C1A41F86566268C53,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002441893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:44.171{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002441892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:44.171{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=612C881289FABD2AD725EDE5A61308DD,SHA256=D57A0248B8300CBF329CADE694DB79A9601014F512AB80EB7EA1C43758C967EBfalsefalse - insufficient disk space
10341000x80000000000000001527474Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:44.114{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527473Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:44.114{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002441898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:45.612{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:45.612{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E112A6CFC8C2E9A7E7CAA9019E83BA5,SHA256=D6D5D021BDEA3EEF8CDB2D4E1309CD10871D238A7089AE10712A06B4FE0CAAFFfalsefalse - insufficient disk space
354300x80000000000000001527481Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:39.602{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1045-false10.0.1.12-8000-
23542300x80000000000000001527480Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:45.563{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0136E1A2C97FC7B130DCE733604B77EC,SHA256=A0F57EB9389483A153B067EE079309708BDBDCCB27BF42AF25524F977E2BEA11,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000002441896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:42.614{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49256-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
10341000x80000000000000001527479Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:45.115{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527478Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:45.115{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527477Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:45.021{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=461351E1F172F28CD71115034E5704E6,SHA256=6043E4A185852399B63C2D852560B05832456EEEF7819CE3040D1034FAB6CD1D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527476Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:45.021{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59B71AEAD3D5FB4110A892BD53C672EE,SHA256=5BEEA16FA76715A13DACF0C3910AF0A889225239B97AC86D344373927C058FB8,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002441900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:46.846{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:46.846{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345FA711B46C0C68BD261E052567E564,SHA256=546A14D892C5EEBB07CDBB5E8C2854FAF2915AC02A62851C51D3D883F4A8EA51falsefalse - insufficient disk space
23542300x80000000000000001527484Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:46.570{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92A702780CC0C225A22F7FB11149160,SHA256=2BB5514E4E114A417A45FFAC7A0AA271501E961D0DF761E0EC8B0A5FB90C63BB,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527483Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:46.116{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527482Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:46.116{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002441902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:47.901{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:47.901{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658BDA3DD7B338F5141E4B4D37137B38,SHA256=6222C42868D00E1E90C963044C17256ACD50AA017CB01319D5E7A93759D632F6falsefalse - insufficient disk space
23542300x80000000000000001527487Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:47.573{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D5644B28B5953EFC145E3B0F352D8F,SHA256=EC56B735CB83CD556F2FBA0C051B5F3E22D0B6258719060AC609A11083F9B47E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527486Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:47.117{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527485Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:47.117{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002441904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:48.951{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:48.951{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94949246F44BBCF46D3E28450DAFE74,SHA256=D6128B20D10374F1D036A135BC7DC5BEF2602157E435F762C732C1B75B2AEC76falsefalse - insufficient disk space
23542300x80000000000000001527490Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:48.576{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45AE881AB6E1EBC12B3C13CF7225A06,SHA256=11C62E67E2DF424AB1E908B31D4F5DE6EF54517732420A59DE87620FB3252D86,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527489Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:48.118{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527488Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:48.118{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002441910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:49.985{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:49.985{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C1D94772312340F9671498FE27EEE4,SHA256=F4003507D8F86B22476873CE557F2D32DB3021B59B9B9E6F88777ED9D8AE27AAfalsefalse - insufficient disk space
23542300x80000000000000001527494Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:49.593{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527493Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:49.580{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5091D153352563AD94A0B33FA51C3F03,SHA256=173FCE522A633D500A87138A13903892A3245F0C9DBFEF49DCA43E20334D8B49,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002441908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:49.336{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002441907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:49.336{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BFD8CE87E65D937E38D6EC4F4ED353F,SHA256=716AB510E497E301575B11A5B76D891C6F9E4EDFF594C23524AECA96C292599Cfalsefalse - insufficient disk space
11241100x80000000000000002441906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:49.336{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002441905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:49.336{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF14F034B5B5FB4B096AA4A1B45DAB3D,SHA256=15DD9125CAB973EB3AB25191DF30A02A0FF8E438C111F2B3C5F87FEBEBB2CDD1falsefalse - insufficient disk space
10341000x80000000000000001527492Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:49.119{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527491Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:49.119{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x80000000000000001527501Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:45.039{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1047-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https
354300x80000000000000001527500Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:44.738{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1046-false10.0.1.12-8000-
23542300x80000000000000001527499Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:50.599{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7547B544E3A06F084394609A545EFEEA,SHA256=D801498B731FC0D9D00449AE65281B40F8DA275D6484CACFAD7F8495B7E01A00,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000002441911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:47.626{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49257-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
23542300x80000000000000001527498Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:50.197{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94CA781D447C01AB9BB49E131EA619E5,SHA256=2A7B9E0FF2B68E056772DA185D9722D2E8269D55D1E7CB198600B3449ECDB739,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527497Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:50.196{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=461351E1F172F28CD71115034E5704E6,SHA256=6043E4A185852399B63C2D852560B05832456EEEF7819CE3040D1034FAB6CD1D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527496Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:50.120{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527495Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:50.120{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x80000000000000001527505Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:45.182{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1048-false10.0.1.12-8089-
23542300x80000000000000001527504Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:51.605{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762F4B1453DDEFD6EF488EC528DB1B9A,SHA256=4168344FF948B6757F7966BE8ACF9C5C44375806FF4F5871DB0235ADE1EBCD0F,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002441913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:51.205{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:51.205{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A593759FE3DEAF19480D2C979589453C,SHA256=694C2C2FDF45433383FE76F10C1BC40AF3B6D35D50791498CA0059C791365293falsefalse - insufficient disk space
10341000x80000000000000001527503Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:51.121{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527502Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:51.121{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527517Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.613{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2595EEC46071FBD8D70CFD2BBB8A6DFB,SHA256=5ED4FEEE7E910C454AEA36ACDCE471F4E7F3B4B09A295B7B23EA5C6A51BDCB17,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002441915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:52.209{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:52.209{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D1CD41ABACE0B670D9B5E1DC75DF18,SHA256=91C07A7D1860CA5C4AEABE0DE5F36EFBA433FA665D74EA1A7F0A3713617BBD8Afalsefalse - insufficient disk space
10341000x80000000000000001527516Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527515Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527514Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.092{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A78C-6081-0C83-00000000BA01}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527513Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.090{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527512Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.090{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527511Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.090{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527510Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.090{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527509Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.090{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-A78C-6081-0C83-00000000BA01}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000001527508Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.089{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A78C-6081-0C83-00000000BA01}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000001527507Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.088{761B69BB-A78C-6081-0C83-00000000BA01}6996C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x80000000000000001527506Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:52.015{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9B2BF4A6127285B0D72408A91427DFB8,SHA256=C2D2FFB3177DBC4D1A7F1C3422A3D962FF4136957AF142EB5482FBEB1B795E32,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527521Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:53.616{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2911FF42AABB191FFA41560AFFB617F,SHA256=1D584796A0CEFE3983CE79A9E8FABC3CF42DDBCA1A1D315038FD229E3624DD64,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002441917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:53.212{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:53.212{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E4AEB8017BC4B4BD6B215CA3065605,SHA256=1E9BF03EFD7329045BBCAD8AAF509DD7FB748680E43D60CB0345B696D0E6892Efalsefalse - insufficient disk space
10341000x80000000000000001527520Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:53.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527519Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:53.122{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527518Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:53.092{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94CA781D447C01AB9BB49E131EA619E5,SHA256=2A7B9E0FF2B68E056772DA185D9722D2E8269D55D1E7CB198600B3449ECDB739,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527524Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:54.639{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01993CE520E4ADA69C278AFE0C6EA62B,SHA256=6768B6235A363FC8ACD5D7B12BC50EF9D38D4F584DB488552401F557B76D0391,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002441923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:54.348{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
11241100x80000000000000002441922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:54.348{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:54.348{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1D5A5E1E80B4B509591B79FC257D993,SHA256=89C766F746DB92EAE5CA3F3C023EDCFDE6469374020C93F694B625D8458C8856falsefalse - insufficient disk space
23542300x80000000000000002441920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:54.348{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED77C3DD893184E31235B88F56DA2394,SHA256=255783DA3C8F57FB971871FAACEEE6AF10E82A526B343AA585146CEFE22D97CFfalsefalse - insufficient disk space
11241100x80000000000000002441919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:54.348{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002441918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:54.348{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BFD8CE87E65D937E38D6EC4F4ED353F,SHA256=716AB510E497E301575B11A5B76D891C6F9E4EDFF594C23524AECA96C292599Cfalsefalse - insufficient disk space
10341000x80000000000000001527523Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:54.123{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527522Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:54.123{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527528Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:55.642{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189A31E18D8AD9684CD6121194F52612,SHA256=AFC8391B2678672379A09F4F9C2EE915398E3D17BE92DF04322BF7B30BEA8361,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000002441926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:52.669{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49258-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
11241100x80000000000000002441925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:55.366{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:55.366{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DBB0853685414F24BD50E0DC6A8586,SHA256=FB3FBA921435C1375BCA2CB8BCCFFA1D0E887987B60AA6556C3F11991F4174D9falsefalse - insufficient disk space
10341000x80000000000000001527527Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:55.472{761B69BB-818A-607D-0B00-00000000BA01}6323780C:\Windows\system32\lsass.exe{761B69BB-8188-607D-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e
10341000x80000000000000001527526Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:55.124{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527525Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:55.124{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527552Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.957{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A790-6081-0E83-00000000BA01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527551Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.955{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527550Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.955{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527549Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.955{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527548Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.955{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527547Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.954{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-A790-6081-0E83-00000000BA01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000001527546Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.954{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A790-6081-0E83-00000000BA01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000001527545Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.954{761B69BB-A790-6081-0E83-00000000BA01}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x80000000000000001527544Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:51.065{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1050-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds
354300x80000000000000001527543Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:51.065{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1050-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds
354300x80000000000000001527542Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:50.635{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1049-false10.0.1.12-8000-
23542300x80000000000000001527541Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.651{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF5B73DD48E88D9DC39ADA860D7A4275,SHA256=40FA6C99D5E04129DB6D81AB08C3D58E3DD240F02BFCA110243607FB78D5DC4A,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002441933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:56.385{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:56.385{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F016647BB3C18300E1E1DE1933DDD9,SHA256=CA4DAF4E021A5770C9BC368648913749F154674E9A054D098BF87E1713C90B55falsefalse - insufficient disk space
10341000x80000000000000001527540Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.422{761B69BB-A790-6081-0D83-00000000BA01}58926860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527539Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.276{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A790-6081-0D83-00000000BA01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527538Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.274{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527537Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.274{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527536Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.274{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527535Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.274{761B69BB-818C-607D-0C00-00000000BA01}8445128C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527534Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.274{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-A790-6081-0D83-00000000BA01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000001527533Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.273{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A790-6081-0D83-00000000BA01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000001527532Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.273{761B69BB-A790-6081-0D83-00000000BA01}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x80000000000000001527531Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.125{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527530Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.125{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527529Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:56.047{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80ECD3E667A44F13891CD8E83D5CF037,SHA256=BE1A55AA8DB35EFE5F0FB7BC66082670279677C63AB0CA227FCC84BE4E457F85,IMPHASH=00000000000000000000000000000000falsetrue
24542400x80000000000000002441931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:56.338{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe2user: WIN-HOST-5\Administrator hostname: mj0b0drgMD5=C9D47CE6713CBF19C63C2BD94C15B8B2,SHA256=6B2E6923C64CE1CBAAE9E19E3C9EA208522A9684B0DE688150D5CEA7B732F63Ftrue
10341000x80000000000000002441930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:56.338{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002441929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:56.338{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002441928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:56.322{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeC:\Sysmon\CLIP-C9D47CE6713CBF19C63C2BD94C15B8B26B2E6923C64CE1CBAAE9E19E3C9EA208522A9684B0DE688150D5CEA7B732F63F2021-04-22 16:42:56.322
10341000x80000000000000002441927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:56.322{21761711-83AE-607D-1D00-00000000BB01}19607576C:\Windows\sysmon64.exe{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527565Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.763{761B69BB-A791-6081-0F83-00000000BA01}64605620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527564Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.671{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFC62F1FE6D9F7BC85BABE0A49D2D46,SHA256=C2AAAF9EEEEF62A3DBC6AA1B973118C7E16E7FAE34B8D06837FD82E3AB5C3A76,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000002441946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.972{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002441945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.972{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002441944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.972{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1500-00000000BB01}1100C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
12241200x80000000000000002441943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:57.656{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithList
12241200x80000000000000002441942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:57.656{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\RegisteredApplications
12241200x80000000000000002441941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:57.656{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\RegisteredApplications
13241300x80000000000000002441940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:57.656{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data
12241200x80000000000000002441939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:57.656{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids
12241200x80000000000000002441938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:57.656{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts
12241200x80000000000000002441937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:57.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
12241200x80000000000000002441936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:57.487{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{bd98497a-0000-0000-0000-100000000000}
11241100x80000000000000002441935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.387{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002441934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.387{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACFC2F9EF8FC0049D466814DD9AD203,SHA256=E483BA740BCB8EEBF2FF6E0AD485C8F3B557F91CC9B2DFE63AC2637FF730F227falsefalse - insufficient disk space
10341000x80000000000000001527563Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.623{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A791-6081-0F83-00000000BA01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527562Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.621{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527561Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.621{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527560Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.621{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527559Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.620{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527558Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.620{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-A791-6081-0F83-00000000BA01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000001527557Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.620{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A791-6081-0F83-00000000BA01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000001527556Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.620{761B69BB-A791-6081-0F83-00000000BA01}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x80000000000000001527555Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.575{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527554Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.575{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527553Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:57.287{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4836EE988B799E61F550B045573474F,SHA256=5A8B0408A85AF2A87F59D1740405B1B757592386B174C7F4EBCB2E7253E55E53,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527569Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:58.684{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92147FB860CC146CF8B99FE8F642F0F,SHA256=FBF6B59630B0F0E087AEC92C4AA3A5080D490D0776046D693C90F45B49398E07,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002442680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\document-752139500.xlsm.LNK2021-04-22 16:42:58.988
18141800x80000000000000002442679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744\srvsvcC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
734700x80000000000000002442678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid
13241300x80000000000000002442677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\102C5E44\102C5E44Binary Data
12241200x80000000000000002442676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\102C5E44
12241200x80000000000000002442675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery
12241200x80000000000000002442674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency
12241200x80000000000000002442673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency
12241200x80000000000000002442672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
12241200x80000000000000002442671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems\;u4
12241200x80000000000000002442670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery
12241200x80000000000000002442669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\102C5D1C
12241200x80000000000000002442668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\102C5D1C\102C5D1C
10341000x80000000000000002442667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.972{21761711-84C9-607D-F200-00000000BB01}37844720C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\windows.storage.dll+3c6d1e|C:\Windows\System32\windows.storage.dll+3c8d0e|C:\Windows\System32\windows.storage.dll+13c3e3|C:\Windows\System32\windows.storage.dll+13bdd9|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002442666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Wef\CustomFunctions\v1.7\hostproperties.json2021-04-20 20:57:22.806
23542300x80000000000000002442665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.972{21761711-A791-6081-7E84-00000000BB01}2744WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\16.0\Wef\CustomFunctions\v1.7\hostproperties.jsonMD5=7A29F1E157244591277E3C25F29A8029,SHA256=05EEBA4D6CA7148DCD0A6317A45241A49A4C8D88D628B27D8B19889EF6E70771falsefalse - insufficient disk space
10341000x80000000000000002442664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.972{21761711-84C9-607D-F200-00000000BB01}37844720C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3c9e7e|C:\Windows\System32\windows.storage.dll+3c5b4f|C:\Windows\System32\windows.storage.dll+3c6c90|C:\Windows\System32\windows.storage.dll+3c8d0e|C:\Windows\System32\windows.storage.dll+13c3e3|C:\Windows\System32\windows.storage.dll+13bdd9|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
13241300x80000000000000002442663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.972{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithList\MRULista
12241200x80000000000000002442662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.972{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithList
10341000x80000000000000002442661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.972{21761711-A791-6081-7E84-00000000BB01}27446944C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c73e8|C:\Windows\System32\windows.storage.dll+3cb9df|C:\Windows\System32\windows.storage.dll+3cbf38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175294|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175179|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.972{21761711-A791-6081-7E84-00000000BB01}27446944C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c73cc|C:\Windows\System32\windows.storage.dll+3cb9df|C:\Windows\System32\windows.storage.dll+3cbf38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175294|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175179|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.972{21761711-A791-6081-7E84-00000000BB01}27446944C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c73cc|C:\Windows\System32\windows.storage.dll+3cb9df|C:\Windows\System32\windows.storage.dll+3cbf38|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175294|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175179|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002442658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725
23542300x80000000000000002442657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F127F9949BDC922DFD3997F86306F82C,SHA256=251B023FE8E16B41A39BC4F8780A9ECECE7DC16DB0C2C3A3D94F0139392285C6falsefalse - insufficient disk space
734700x80000000000000002442656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid
10341000x80000000000000002442655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-A792-6081-8084-00000000BB01}21288044C:\Windows\system32\sppsvc.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+7ec28|C:\Windows\system32\sppsvc.exe+749f0|C:\Windows\system32\sppsvc.exe+95a0e|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4
10341000x80000000000000002442654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-A792-6081-8084-00000000BB01}21288044C:\Windows\system32\sppsvc.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+74b0a|C:\Windows\system32\sppsvc.exe+959c1|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002442653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid
10341000x80000000000000002442652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-A792-6081-8084-00000000BB01}21287204C:\Windows\system32\sppsvc.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+7ec28|C:\Windows\system32\sppsvc.exe+749f0|C:\Windows\system32\sppsvc.exe+95a0e|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4
10341000x80000000000000002442651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.956{21761711-A792-6081-8084-00000000BB01}21287204C:\Windows\system32\sppsvc.exe{21761711-84C8-607D-EB00-00000000BB01}1744C:\Windows\System32\RuntimeBroker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d889|C:\Windows\system32\sppsvc.exe+74b0a|C:\Windows\system32\sppsvc.exe+959c1|C:\Windows\system32\sppsvc.exe+54717|C:\Windows\system32\sppsvc.exe+a1ebb|C:\Windows\system32\sppsvc.exe+b429a|C:\Windows\system32\sppsvc.exe+b458f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002442650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.934{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725
23542300x80000000000000002442649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.934{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2B8D4D2751CA01A43A006BB954715B55,SHA256=E1DC257075F1B491518EB37508986DDC1C503067AEEDB561E84C5DE91C8017F1falsefalse - insufficient disk space
10341000x80000000000000002442648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.903{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.903{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
13241300x80000000000000002442646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.903{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000150606\VirtualDesktopBinary Data
12241200x80000000000000002442645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.903{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000150606
10341000x80000000000000002442644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.903{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002442643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.872{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725
23542300x80000000000000002442642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.872{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A2C1BC67D87304CD2B00D89401A6AC9C,SHA256=9530F56FB09C166C9F74AB4C5C08E11D01F9A421D3FF8D5618688C5C47479059falsefalse - insufficient disk space
12241200x80000000000000002442641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002442640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.251{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso98win32client.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso98Win32Client.dllMD5=A2DA2F37011629C919B6BC2F261600A4,SHA256=3B904FF382D604527E2853C0FA2780F591C7AC235CC98758E997750FC138AA83trueMicrosoft CorporationValid
12241200x80000000000000002442639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.872{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.856{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
734700x80000000000000002442616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.856{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=40873566DBFF13981CA1AE23AC281C5D,SHA256=E52C4619C837358454B969D31E2E14ACDEDABB384272D48C03E4F0AF9A2C2B6EtrueMicrosoft WindowsValid
11241100x80000000000000002442615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.854{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002442614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.854{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5114B1326C47EC68F9833F710063F68C,SHA256=3274AA8A505497EEB3D58B3C4FAF8092939498F4AB080B4595F4AAF81600EF4Efalsefalse - insufficient disk space
734700x80000000000000002442613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.819{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDCtrueMicrosoft WindowsValid
734700x80000000000000002442612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.819{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\BCP47Langs.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)BCP47 Language ClassesMicrosoft® Windows® Operating SystemMicrosoft CorporationBCP47Lang.dllMD5=F688C2B9DD2EB56C3B0312B6380338AA,SHA256=B22DB210486D3B5F4EEB17900C5E7AA0EEFEDBB068A0C4858EFE9F8018C34628trueMicrosoft WindowsValid
734700x80000000000000002442611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.819{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\Windows.Globalization.dll10.0.14393.4169 (rs1_release.210107-1130)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D48D3F64A7718C672CDEC0B7A8CB7695,SHA256=C459390E3E67665FC2413469F8C29544DB9421D14B6C40F68B1674C924898B71trueMicrosoft WindowsValid
13241300x80000000000000002442610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.803{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ExcelWorkbookAutoRecoverDirtyDWORD (0x00000000)
13241300x80000000000000002442609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.803{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ImmersiveWorkbookDirtySentinelDWORD (0x00000000)
23542300x80000000000000001527568Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:58.626{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D79594171CFC04D775AC53A46BD9C3A,SHA256=02C81D9666525E8016FB45294C437D9B26E31C7045591F9132B7203A5724478D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527567Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:58.576{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527566Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:58.576{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002442608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.787{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\26C30D96.png2021-04-22 16:42:58.787
11241100x80000000000000002442607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.787{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9924ABA9.png2021-04-22 16:42:58.787
11241100x80000000000000002442606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.787{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5739D848.png2021-04-22 16:42:58.787
11241100x80000000000000002442605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.787{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B1FBD6A3.png2021-04-22 16:42:58.787
13241300x80000000000000002442604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.734{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2744\0Binary Data
13241300x80000000000000002442603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.734{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ExcelWorkbookAutoRecoverDirtyDWORD (0x00000001)
13241300x80000000000000002442602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.734{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ImmersiveWorkbookDirtySentinelDWORD (0x00000001)
734700x80000000000000002442601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.734{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885trueMicrosoft WindowsValid
734700x80000000000000002442600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.734{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msimg32.dll10.0.14393.0 (rs1_release.160715-1616)GDIEXT Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationgdiextMD5=78DA58DF85F86CA61E5EAFB9EF0A83BE,SHA256=3216205F5C355D582EC4B902651B62E1FF3EFFDCA40BC849D474F13F1325E962trueMicrosoft WindowsValid
734700x80000000000000002442599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.734{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msxml6.dll6.30.14393.4350MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=C5045923028C8BE9DC37AD629100F907,SHA256=4909F1718D20D5CF38DADC30750023DE074E8FE4BA1D7E17AA0F1A2D5DF5745FtrueMicrosoft WindowsValid
13241300x80000000000000002442598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.718{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\102C5D1C\102C5D1CBinary Data
12241200x80000000000000002442597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\Common
12241200x80000000000000002442596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
13241300x80000000000000002442595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.718{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ExcelWorkbookOpenedCountDWORD (0x00000001)
734700x80000000000000002442594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso50win32client.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso50Win32Client.dllMD5=5EC58D31A1B7A5F5E00E7D7D71A336A4,SHA256=716354C33ED74A02ABFF15498EE619D9E916C5DD268EA59A7AC5C8F5BEDAAA57trueMicrosoft CorporationValid
12241200x80000000000000002442593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
734700x80000000000000002442570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.718{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid
734700x80000000000000002442569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.718{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppobjs.dll10.0.14393.4350 (rs1_release.210407-2154)Software Protection Platform PluginsMicrosoft® Windows® Operating SystemMicrosoft Corporationsppobjs.dllMD5=08D22BC06420E0B4389F946ABDC798AE,SHA256=54455722DFE424293D6F1FBCA3DAC91127C77EAF26421C51C9D54009F4F9EE55trueMicrosoft WindowsValid
12241200x80000000000000002442568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
11241100x80000000000000002442567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.718{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\Desktop\5952598816096256\~$document-752139500.xlsm2021-04-22 16:42:58.718
12241200x80000000000000002442566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002442561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4350_none_aecb7b4dddd42c62\GdiPlus.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=22905195515813858B52CE4DC79B3FB9,SHA256=CC74B32225A286C5BE81CE792FF7AF86F6AB434519A4A47B7A1CC364D8DF18D9trueMicrosoft WindowsValid
12241200x80000000000000002442560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.718{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
13241300x80000000000000002442542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\102C5D1C\102C5D1CBinary Data
12241200x80000000000000002442541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\102C5D1C
12241200x80000000000000002442540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery
13241300x80000000000000002442539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems\;u4Binary Data
12241200x80000000000000002442538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
12241200x80000000000000002442537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency
12241200x80000000000000002442536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002442535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.703{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\Clipc.dll10.0.14393.0 (rs1_release.160715-1616)Client Licensing Platform ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationClipC.dllMD5=C1ADE6C578AFD608EBC63BEB0F85ABD7,SHA256=7195914FD6FF035601607636E8EEFC58074852FD9983DB4A7E9DFEAEFA3D8382trueMicrosoft WindowsValid
734700x80000000000000002442534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.703{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\dsrole.dll10.0.14393.0 (rs1_release.160715-1616)DS Setup Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationDSROLE.DLLMD5=2A319EC8DF0FB5C46CF311B9D2B65B1D,SHA256=62B8900EFDF4B30E54E11232A8DA95DBF066DAEFD364A66EB99ADC028A3798F7trueMicrosoft WindowsValid
734700x80000000000000002442533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.703{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppwinob.dll10.0.14393.3115 (rs1_release_1.190708-1703)Software Protection Platform Windows PluginMicrosoft® Windows® Operating SystemMicrosoft Corporationsppwinob.dllMD5=012E1DA3DB7B8D5128E9DD440573E549,SHA256=6D87AC8C462BEA922F39C75AF8A9458D1FCC5DB1BBC22931AE233EBB2235C35DtrueMicrosoft WindowsValid
12241200x80000000000000002442532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager
12241200x80000000000000002442531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager
13241300x80000000000000002442530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.687{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2744\0Binary Data
13241300x80000000000000002442529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.687{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\ETagstd::wstring|"1XdtvwRgBt40FJxXJozf3bv0b7du6p3QKpaFXXBexnk="
13241300x80000000000000002442528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.687{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\excel\Expiresint64_t|1619124179
734700x80000000000000002442527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.687{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid
12241200x80000000000000002442526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002442524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso40UIwin32client.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft Corporationmso40uiWin32Client.dllMD5=ED817FC4D5C18B04726F8EE7C89EFF39,SHA256=C6F13CEC53F3216FEC098ED30ED5F4F935FF897D40C463D130B71305911DF1F5trueMicrosoft CorporationValid
12241200x80000000000000002442523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.687{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
11241100x80000000000000002442500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.687{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002442499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.687{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1D5A5E1E80B4B509591B79FC257D993,SHA256=89C766F746DB92EAE5CA3F3C023EDCFDE6469374020C93F694B625D8458C8856falsefalse - insufficient disk space
12241200x80000000000000002442498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.671{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency
12241200x80000000000000002442497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.671{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
12241200x80000000000000002442496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-22 16:42:58.671{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems\$s4
12241200x80000000000000002442495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.671{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\Common
13241300x80000000000000002442494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.656{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastWriteTimeExcelBinary Data
13241300x80000000000000002442493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.656{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\Roaming\RoamingLastSyncTimeExcelBinary Data
734700x80000000000000002442492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.656{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\cabinet.dll5.00 (rs1_release.160715-1616)Microsoft® Cabinet File APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcabinet.dllMD5=08A4A2712DB2AE10E483FB74E46B0E73,SHA256=EEB32E3E4256CC9935227ACD5BA576B75F1F6FE3C818D2127513CB22F823FECBtrueMicrosoft WindowsValid
11241100x80000000000000002442491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.654{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002442490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.654{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A169A91FFE42990D9C3C836C552164C9,SHA256=BC947A25B1BDC0DB7681D4015E261A976ACCAE2E2F8AC8620840E39819120296falsefalse - insufficient disk space
11241100x80000000000000002442489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.602{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002442488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.602{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12025709FC7370195DD0DFC03394ADF,SHA256=39CEA81DB12F672BD653023EEE21DE717D58003AE011DD82932AF27DA9E0A6B8falsefalse - insufficient disk space
12241200x80000000000000002442487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
734700x80000000000000002442485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\dsclient.dll10.0.14393.0 (rs1_release.160715-1616)Data Sharing Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdsclient.dllMD5=68B9D02A469519C6BFD9F39854EE8E62,SHA256=A7646650AB50D076DBBC6E9B767565DDA71B078814BC2071BA525F118B861883trueMicrosoft WindowsValid
12241200x80000000000000002442484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002442458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\WpPortingLibrary.dll10.0.14393.0 (rs1_release.160715-1616)<d> DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWpPortingLibrary.dllMD5=9F86158107F4C4A954E1A1594A73E769,SHA256=8D797D0B92ACE4957EDC3380C06D54CC2912896248A2A68E86F83FA0B7A24136trueMicrosoft WindowsValid
12241200x80000000000000002442457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002442434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\Windows.System.Launcher.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.System.LauncherMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.System.Launcher.dllMD5=384379949D62C818AF52A5DE919A62FD,SHA256=21F85FFD4DD9A61088194F9A416ED1496EE781033D1A23E69893EAC583C72B68trueMicrosoft WindowsValid
12241200x80000000000000002442433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.587{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
13241300x80000000000000002442409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.571{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000)
12241200x80000000000000002442408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation
12241200x80000000000000002442407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exeHKLM\SYSTEM\WPA
13241300x80000000000000002442406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.571{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\ServiceSessionIdBinary Data
734700x80000000000000002442405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid
734700x80000000000000002442404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid
11241100x80000000000000002442403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725
12241200x80000000000000002442402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
23542300x80000000000000002442401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A2C1BC67D87304CD2B00D89401A6AC9C,SHA256=9530F56FB09C166C9F74AB4C5C08E11D01F9A421D3FF8D5618688C5C47479059falsefalse - insufficient disk space
12241200x80000000000000002442400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
11241100x80000000000000002442399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725
23542300x80000000000000002442398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E8A89FB5D2C6B17199F5CF6778899321,SHA256=B47374331AEEDCFFCDA9B5766999CAA054535D6620F7BF805F6F14408009EEE8falsefalse - insufficient disk space
734700x80000000000000002442397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid
734700x80000000000000002442396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.172{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1trueMicrosoft WindowsValid
12241200x80000000000000002442395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
734700x80000000000000002442394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1trueMicrosoft WindowsValid
12241200x80000000000000002442393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.571{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
10341000x80000000000000002442370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-83AD-607D-0A00-00000000BB01}6204840C:\Windows\system32\services.exe{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
12241200x80000000000000002442369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
734700x80000000000000002442368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.172{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=92330FA0551BFFBB8C1C97E86F9A0264,SHA256=0F341AF375236EBF7047F6AE50F2834566F0D859F0F02B8A5FFD7F29C31B0117trueMicrosoft WindowsValid
12241200x80000000000000002442367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
10341000x80000000000000002442345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002442344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid
10341000x80000000000000002442343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
12241200x80000000000000002442342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002442341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid
10341000x80000000000000002442340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002442339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid
734700x80000000000000002442338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid
734700x80000000000000002442337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid
734700x80000000000000002442336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid
734700x80000000000000002442335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid
12241200x80000000000000002442334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002442333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8trueMicrosoft WindowsValid
734700x80000000000000002442332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid
12241200x80000000000000002442331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002442330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid
734700x80000000000000002442329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
734700x80000000000000002442328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
13241300x80000000000000002442327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.555{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data
734700x80000000000000002442326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid
12241200x80000000000000002442325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
734700x80000000000000002442324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.170{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1EtrueMicrosoft WindowsValid
12241200x80000000000000002442323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002442319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.4283 (rs1_release.210303-1802)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=BE5D6961F4736274AD28D2B2BAF0CF50,SHA256=177BF5B04802C472A158EC012FF03055E74FC7121F47DAE0D6BF0FD9579F6A1EtrueMicrosoft WindowsValid
12241200x80000000000000002442318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.555{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
734700x80000000000000002442300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.554{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
734700x80000000000000002442299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.554{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid
734700x80000000000000002442298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.554{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid
734700x80000000000000002442297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.553{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid
734700x80000000000000002442296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.552{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid
12241200x80000000000000002442295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002442294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.552{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid
734700x80000000000000002442293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.552{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid
734700x80000000000000002442292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.552{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid
734700x80000000000000002442291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.551{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid
13241300x80000000000000002442290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.550{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000)
12241200x80000000000000002442289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.550{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation
734700x80000000000000002442288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.549{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid
10341000x80000000000000002442287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.548{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.548{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002442285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.548{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid
734700x80000000000000002442284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.547{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid
12241200x80000000000000002442283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.546{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.546{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
10341000x80000000000000002442281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.546{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000002442280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.546{21761711-83AD-607D-0A00-00000000BB01}6205264C:\Windows\system32\services.exe{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000002442279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.529{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exe10.0.14393.4104 (rs1_release.201202-1742)Microsoft Software Protection Platform ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationsppsvc.exeC:\Windows\system32\sppsvc.exeC:\WindowsNT AUTHORITY\NETWORK SERVICE{21761711-83AD-607D-E403-000000000000}0x3e40SystemMD5=CE92D4BEC4DCB1921757E4F2FC121837,SHA256=2ED9F59A4EB534F51C6182FF5E40D9C03A6D4D2454E53F787E79CC8FADA209C7{21761711-83AD-607D-0A00-00000000BB01}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe
734700x80000000000000002442278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.164{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE16.0.13127.21506Microsoft ExcelMicrosoft OfficeMicrosoft CorporationExcel.exeMD5=E9DCD26B4206A2A38CFC5BA4A32D1BEE,SHA256=DB9091C29D475071EF9C0F5794C33733A979E6528B5714B52F330F57011EFCCDtrueMicrosoft CorporationValid
12241200x80000000000000002442277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.541{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.540{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
10341000x80000000000000002442254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.540{21761711-83AE-607D-1400-00000000BB01}4801584C:\Windows\system32\svchost.exe{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002442253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.539{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid
11241100x80000000000000002442252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.538{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002442251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.538{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1157AAFD5863DB0A67D4A639C7AD1CB7,SHA256=DBF62224B790BFC35B5E61B1ECA0F268202577FB5ECD0140C2E2483DF4E38557falsefalse - insufficient disk space
13241300x80000000000000002442250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.534{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data
10341000x80000000000000002442249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.534{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.534{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
13241300x80000000000000002442247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.534{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data
13241300x80000000000000002442246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.534{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data
13241300x80000000000000002442245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.533{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data
13241300x80000000000000002442244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.533{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data
13241300x80000000000000002442243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.533{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data
734700x80000000000000002442242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.532{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ncryptsslp.dll10.0.14393.3541 (rs1_release_inmarket.200218-2047)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=E1BDF589E27B64D6637852872F4BA1D0,SHA256=C79B6A4AD264169C5B6F177083FD17C26832CD6A838DB697C7BC3C533A162733trueMicrosoft WindowsValid
734700x80000000000000002442241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.531{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid
734700x80000000000000002442240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.530{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid
734700x80000000000000002442239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.530{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid
10341000x80000000000000002442238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.528{21761711-83AE-607D-1000-00000000BB01}9601492C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
12241200x80000000000000002442237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.527{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exeHKCR
10341000x80000000000000002442236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.527{21761711-83AE-607D-1000-00000000BB01}9601492C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.526{21761711-83AE-607D-1000-00000000BB01}9601492C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.526{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.526{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
13241300x80000000000000002442232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.525{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\SessionIdBinary Data
10341000x80000000000000002442231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.525{21761711-83AD-607D-0B00-00000000BB01}6284020C:\Windows\system32\lsass.exe{21761711-83AD-607D-0A00-00000000BB01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.525{21761711-83AE-607D-1600-00000000BB01}11087588C:\Windows\system32\svchost.exe{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
13241300x80000000000000002442229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.524{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\AutoProvisioning\LastFetchDetailDWORD (0x0000001c)
734700x80000000000000002442228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.521{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid
734700x80000000000000002442227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.519{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid
734700x80000000000000002442226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.518{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid
734700x80000000000000002442225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.518{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid
734700x80000000000000002442224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.517{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid
10341000x80000000000000002442223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.515{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002442222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.514{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid
734700x80000000000000002442221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.512{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid
734700x80000000000000002442220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.512{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid
734700x80000000000000002442219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.512{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid
734700x80000000000000002442218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.511{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid
734700x80000000000000002442217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.511{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid
12241200x80000000000000002442216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.510{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem
12241200x80000000000000002442215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.510{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft
12241200x80000000000000002442214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.510{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE
12241200x80000000000000002442213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.510{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem
12241200x80000000000000002442212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.510{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft
12241200x80000000000000002442211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.510{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE
734700x80000000000000002442210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.508{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid
734700x80000000000000002442209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.508{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid
734700x80000000000000002442208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.508{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
734700x80000000000000002442207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.508{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid
734700x80000000000000002442206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.508{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid
734700x80000000000000002442205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.508{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid
734700x80000000000000002442204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.507{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid
734700x80000000000000002442203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.507{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid
734700x80000000000000002442202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.506{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid
734700x80000000000000002442201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.505{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid
734700x80000000000000002442200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.504{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid
734700x80000000000000002442199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.504{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid
734700x80000000000000002442198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.504{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid
10341000x80000000000000002442197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.502{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000002442196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.502{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000002442195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.486{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{21761711-83AD-607D-E403-000000000000}0x3e40SystemMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2{21761711-83AD-607D-0C00-00000000BB01}724C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch
13241300x80000000000000002442194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.497{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor\ULSAllCategories10
13241300x80000000000000002442193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.496{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor\ULSCategoriesSeverities2086 15,827 15,1001 15,2159 10,1000 15,999 15,226 15,1282 50,1338 10,1338 50,1282 10,831 15,1338 15,1282 15,1128 15,2087 15,850 15,1622 50,1039 15,998 15,828 15,829 15,2088 15,1255 15,830 15,974 15,1249 15,670 15,2159 6,671 15,1002 15,669 15,291 15,1249 10,70 50,1584 50
13241300x80000000000000002442192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.496{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor\ULSTagIds151675359,37627806,38355400,17425365,17425358,19543137,19543138,23729931,22070208,23738454,25227928,24404955,23738456,24933761,25227929,23738460,24498243,40921166,592446983,589685772,8758345,19200034,19200075,19200064,19200076,19200077,19200081,25036313,36577664,19200084,20312798,19200085,36274758,38929627,36274766,36274759,25228040,36274767,36274768,36274756,36274760,50738824,40920586,50890261,19805647,19805655,19805645,23979213,40920534,20833951,23979205,23979204,23979210,595940420,40920576,40921180,36283598,40920410,36283600,40921045,50890311,20039441,50890144,50890201,40921313,40921312,51680200,19952736,36487509,577828117,577828115,36487503,19200142,19252293,19200146,19685471,24404956,24470607,24498245,25036314,38040268,38040275,595939597
13241300x80000000000000002442191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.496{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor\ULSTagIds08758344,17134338,34968335,19677900,24131419,20039442,21378256,18409363,40920709,19200086,19972417,51655840,17634580,23979203,18375312,18658649,18658648,17183040,17698823,19677907,18948503,34968340,21378211,17650967,18658650,18674530,18637650,9319450,17126295,23738461,21313610,18948102,23738463,18409416,36517339,18948101,18400089,17634578,36761792,20979747,21378249,21030802,8447777,34968342,50890251,34968338,34968337,34968339,38013077,6366290,8448079,7690258,34968341,36274763,23738455,34968589,24406167,17182941,20027008,17182979,20027009,9176926,7690254,23205313,17622912,5850584,8263521,18208657,51655839,5850305,18405130,51679313,51679314,5850582,8750241,20770843,23459486,6170083,22623970,19182148,16859363,17182980,19933261,8988293,5850463,7649377,19539223,18400091,17064074,38062236,17334863,6166345,17182943,17182942,6636694,41976736,17182981,23738458,5850306,21378252,5850583,37048725,8430030,7218753,18384724,5850062,21378246,17922253,19182146,18948499,6636695,21313503,17182982,17311449,17650969,21313506,5850061,19200088,18400093,7692557,17146274,19790027,17650968,51196381,5850307,17650970,19198081,17650971,8254547,19182147,36487501,18208715,19182149,41736099,18405138,17698821,19200087,6137435,25036311,18970753,24466059,5850122,17698822,37365058,8988294,17698820,17846753,17106064,17846730,18400076,19805648,17846750,17885409,135022598,36507861,19261452,19261450,25036315,6366030,21014468,20998161,4859234,20998160,36283595,24498246,5810308,20998163,6301592,34198423,20998158,41484365,20730712,36517340,20998159,6366028,6366025,50405897,6366039,19200078,18400095,21014467,18405147,23738462,21014465,20998157,20998164,18401413,6366291,18401414,21313537,18401415,38293842,18401416,9242009,17102418,21313504,21313536,17376418,21313507,21378210,21378243,21378247,21378240,21378248,21378241,36577635,21378253,24470550,38293833,36274765,40921221,17311450,21378254,18633497,9037324,7116053,21378255,21378245,17610659,21561487,7214607,593797656,38040271,8750274,20489431,593797655,17339214,21587081,21587082,5850824,5850753,5898849,5898880,5898881,5898884,5898847,20312797,22929427,5898851,8701660,18970755,18917267,5898845,36487495,18917328,24933760,18917326,25228039,40920589,19230863,18949600,17578125,18917268,38062237,18917269,18970761,36292435,34198662,20492502,18917271,18917330,18970383,18949601,22595279,18711811,22131171,573899343,22131207,22131169,22131208,19805646,22853699,17110992,22853700,18948169,5587867,22929425,23414153,19933262,17962391,24466061,5850525,22853712,24991179,24991180,41158543,51196379,51196380,8263520,18638031,21313609,21313611,6647824,25036310,17573643,7868952,38293841,7690253,19200035,7463105,17106059,19200065,17106060,17106065,36487504,18400083,17106063,40920708,19744898,17962113,24511183,17184070,18948501,18474530,18625879,20312793,36274764,36487516,5804129,23979201,7202269,23978014,19693829,18679566,17045407,36274762,17184025,594650054,8709078,18400081,37308099,595174594,18208705,17184068,17618826,17334865,36487496,18400075,18400087,23738459,18405132,19200083,18405134,18405136,18405140,40921218,18405142,36577665,18405144,22058587,8709086,22074074,23643035,20484631,18970757,18970759,18970763,577828114,39965824,593359442,17110988,5601366,17962392,5601367,36274757,18441314,19693830,26019932,4289286,7649375,4317338,19437717,36274761,21030738,22349186,21034758,36495773,37332947,37889366,8996805,4859233,17969938,17445650,16815750,18208656,18208672,25036312,18208658,17445651,8709120,19223073,8709129,8750272,8709089,36487497,50890327,18621250,8709081,20789191,16920930,20248016,589685770,17134337,50890328,19200080,8750242,16843347,18428691,7214608,577828116,18647262,19978123,20026645,19978122,18384725,36487502,7459348,36487498,18384801,36487512,19744899,7690256,19732354,5888003,23979200,19732353,18375313,19252294,16860185,18384802,23729926,18633496,18647260,18647259,18647261,20026646,7657413,7649378,7657414,7463684,17842627,7966755,16815754,17311446,18970381,8747207,17311443,19153728,38040274,19200082,18970382,17045408,8430031,8254544
12241200x80000000000000002442190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.496{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
13241300x80000000000000002442189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\CategoriesBinary Data
13241300x80000000000000002442188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}\4DWORD (0x00000000)
12241200x80000000000000002442187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}
13241300x80000000000000002442186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\CategoriesBinary Data
13241300x80000000000000002442185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}\4DWORD (0x00000000)
12241200x80000000000000002442184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}
12241200x80000000000000002442183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor
12241200x80000000000000002442182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe
12241200x80000000000000002442181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.495{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe
12241200x80000000000000002442180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.494{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ULSMonitor
12241200x80000000000000002442179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.494{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor
12241200x80000000000000002442178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.494{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{F562BB8E-422D-4B5C-B20E-90D710F7D11C}
12241200x80000000000000002442177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.494{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\excel.exe\ETWMonitor\{02FD33DF-F746-4A10-93A0-2BC6273BC8E4}
734700x80000000000000002442176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.491{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid
734700x80000000000000002442175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.488{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid
10341000x80000000000000002442174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.485{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.485{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.485{21761711-83AD-607D-0B00-00000000BB01}6284020C:\Windows\system32\lsass.exe{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
12241200x80000000000000002442171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.484{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR
12241200x80000000000000002442170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.484{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR
12241200x80000000000000002442169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.484{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR
12241200x80000000000000002442168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.484{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR
12241200x80000000000000002442167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.484{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR
734700x80000000000000002442166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.484{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid
12241200x80000000000000002442165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.482{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR
12241200x80000000000000002442164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.482{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR
12241200x80000000000000002442163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.482{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR
12241200x80000000000000002442162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.482{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR
12241200x80000000000000002442161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.482{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR
734700x80000000000000002442160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.481{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\webio.dll10.0.14393.3866 (rs1_release.200805-1327)Web Transfer Protocols APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwebio.dllMD5=0CE65DF03820B5523EFE7D20258E6F0A,SHA256=9224732E1A7761866BB479C91A02C561F77B203EB20914F4ED0AF8FE320E8FF6trueMicrosoft WindowsValid
734700x80000000000000002442159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.479{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid
13241300x80000000000000002442158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.478{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited:
13241300x80000000000000002442157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.477{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie:
13241300x80000000000000002442156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.476{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty)
734700x80000000000000002442155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.476{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid
734700x80000000000000002442154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.475{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAEtrueMicrosoft WindowsValid
734700x80000000000000002442153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.473{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid
734700x80000000000000002442152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.473{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375trueMicrosoft WindowsValid
734700x80000000000000002442151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.472{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid
734700x80000000000000002442150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.469{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210trueMicrosoft WindowsValid
10341000x80000000000000002442149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.469{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002442148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.469{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid
13241300x80000000000000002442147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.469{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data
13241300x80000000000000002442146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.469{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000)
734700x80000000000000002442145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.468{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid
734700x80000000000000002442144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.468{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid
734700x80000000000000002442143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.467{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\winhttp.dll10.0.14393.4169 (rs1_release.210107-1130)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=24995B62FFC2519B34A2145673BD275F,SHA256=BB7D4DE1BE6111462F65F999A8969DA04113F15A80D534A93D3CCC76A9FE1F22trueMicrosoft WindowsValid
734700x80000000000000002442142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.466{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid
734700x80000000000000002442141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.465{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid
11241100x80000000000000002442140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.464{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{D7E81E19-F91E-4607-8B0B-E472D89D708C}2021-04-22 16:42:58.464
13241300x80000000000000002442139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.464{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2744\0Binary Data
12241200x80000000000000002442138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:42:58.463{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\EXCEL\6712
12241200x80000000000000002442137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteValue2021-04-22 16:42:58.463{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\GracefulExit\EXCEL\6712\0
734700x80000000000000002442136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.463{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid
734700x80000000000000002442135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.461{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wininet.dll11.00.14393.4283 (rs1_release.210303-1802)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=15916ED65A44D47842A1CC3CE3CF4883,SHA256=7F00B84CE68E843425323FA7F60E49F4011A9A8AB42948E6CEB9B3A204268C53trueMicrosoft WindowsValid
13241300x80000000000000002442134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.461{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)
13241300x80000000000000002442133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.461{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)
13241300x80000000000000002442132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.460{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)
13241300x80000000000000002442131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.460{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)
13241300x80000000000000002442130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DownloadContentStateConsentTime(Empty)
13241300x80000000000000002442129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DownloadContentStateSourceLocationDWORD (0x00000007)
13241300x80000000000000002442128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DownloadContentStateDWORD (0x00000000)
13241300x80000000000000002442127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\UserContentDependentStateConsentTime(Empty)
13241300x80000000000000002442126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\UserContentDependentStateSourceLocationDWORD (0x00000007)
13241300x80000000000000002442125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\UserContentDependentStateDWORD (0x00000000)
13241300x80000000000000002442124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ControllerConnectedServicesStateConsentTime(Empty)
13241300x80000000000000002442123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ControllerConnectedServicesStateSourceLocationDWORD (0x00000007)
13241300x80000000000000002442122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ControllerConnectedServicesStateDWORD (0x00000000)
13241300x80000000000000002442121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ServiceConnectionStateConsentTime(Empty)
13241300x80000000000000002442120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ServiceConnectionStateSourceLocationDWORD (0x00000007)
13241300x80000000000000002442119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\ServiceConnectionStateDWORD (0x00000001)
13241300x80000000000000002442118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DiagnosticDataConsentConsentTime(Empty)
13241300x80000000000000002442117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000)
13241300x80000000000000002442116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000)
13241300x80000000000000002442115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DiagnosticDataConsentLevelSourceLocationDWORD (0x00000007)
13241300x80000000000000002442114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\DiagnosticDataConsentLevelDWORD (0x00000001)
13241300x80000000000000002442113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous\UserCategoryDWORD (0x00000000)
12241200x80000000000000002442112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache\Anonymous
12241200x80000000000000002442111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.459{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\16.0\Common\Privacy\SystemCache
734700x80000000000000002442110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.456{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\iertutil.dll11.00.14393.4283 (rs1_release.210303-1802)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=5541A4A7FB64063F8AFB192ABD4DAE70,SHA256=AABF2E6C392F29B77F076BF705976B68B3100138BC63060335BD154B8417754DtrueMicrosoft WindowsValid
734700x80000000000000002442109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.455{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\urlmon.dll11.00.14393.4225 (rs1_release.210127-1811)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=37266F6D0E2F86FD3FC6E4724ED49823,SHA256=8AD484F4A7964D2D87047771BB21D3211F204F87D4EB029C1EFAA4FD935333B1trueMicrosoft WindowsValid
734700x80000000000000002442108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.455{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\normaliz.dll10.0.14393.0 (rs1_release.160715-1616)Unicode Normalization DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnormaliz.dllMD5=65930A2C537774A8CBB0A1BE20266D51,SHA256=2879DECC03521C385C5D29381B002E7B70BB448BC2787D9C08174592C7D80BC8trueMicrosoft WindowsValid
734700x80000000000000002442107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.455{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\sppc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationsppc.dllMD5=7CF84329545035CC0833119C7268A620,SHA256=49E3FA8B9F9ACB1A2CEDE37970361316C93286CEE7F70DE5985E7135498A4210trueMicrosoft WindowsValid
734700x80000000000000002442106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.453{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\slc.dll10.0.14393.67 (rs1_release.160804-2231)Software Licensing Client DllMicrosoft® Windows® Operating SystemMicrosoft Corporationslc.dllMD5=060E11DCB875D981E948073986E295DC,SHA256=30858EA58F24537CC3369091F92AD70C59877BDB1FDF8DEC7762A7AB72DDE885trueMicrosoft WindowsValid
734700x80000000000000002442105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.449{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8trueMicrosoft WindowsValid
18141800x80000000000000002442104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:42:58.448{21761711-A791-6081-7E84-00000000BB01}2744\wkssvcC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
734700x80000000000000002442103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.448{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid
734700x80000000000000002442102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.448{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid
734700x80000000000000002442101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.447{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\npmproxy.dll10.0.14393.4169 (rs1_release.210107-1130)Network List Manager ProxyMicrosoft® Windows® Operating SystemMicrosoft Corporationnpfproxy.dllMD5=4D76C6FAF3D01B31A68C9ABF95F4B7D4,SHA256=9B771613C067880E99ED3D68E6C2A43C6B252E899D44682ADEB5A7F02E925920trueMicrosoft WindowsValid
11241100x80000000000000002442100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.447{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\EXCEL\App_1619109778447426300_2FAC0A15-0B75-42C8-A76C-95AED4D76AD5.log2021-04-22 16:42:58.447
11241100x80000000000000002442099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.447{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\Diagnostics\EXCEL\App_1619109778446970800_2FAC0A15-0B75-42C8-A76C-95AED4D76AD5.log2021-04-22 16:42:58.447
734700x80000000000000002442098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.444{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid
11241100x80000000000000002442097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.430{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002442096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.430{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66E143A10B0FB3122C8AF15071050C5,SHA256=5B5C87155EE720CE9A0D3ADD6FE57E55FAAE2B6A338D480C737BF5EF316150DAfalsefalse - insufficient disk space
734700x80000000000000002442095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.422{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid
734700x80000000000000002442094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.421{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msvcp110_win.dll10.0.14393.2007 (rs1_release.171231-1800)Microsoft® STL110 C++ Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp110_win.dllMD5=BFB390484F611C21582AD11E4C6ADEF2,SHA256=30B5AD268C022FCA2AACAE2CB6E4DC36F6A01C16A006046BB4417CEA96DA4F5AtrueMicrosoft WindowsValid
10341000x80000000000000002442093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.421{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002442092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.420{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid
734700x80000000000000002442091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.419{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\netprofm.dll10.0.14393.4169 (rs1_release.210107-1130)Network List ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationnetprofm.dllMD5=02AD37C3C2D54BCD9E7BD2AFF3D6E7A6,SHA256=D71D631EC1790A9BD9451EFAEFC7EBADE6353A17CDBB4D8AAACD3102430A686EtrueMicrosoft WindowsValid
734700x80000000000000002442090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.417{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\twinapi.appcore.dll10.0.14393.4169 (rs1_release.210107-1130)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=B877C5BDEA2215B3D3CF89F645EB535C,SHA256=2F5468CC4277C8CB4B2AD1095AFC739ECAE0F0B6EE78E57BF64A97F3BDA54C19trueMicrosoft WindowsValid
734700x80000000000000002442089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.408{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\WinTypes.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=AAA321C636929D23C58B5A78EDA04B61,SHA256=E33D62CC132B8D790B3604DBE227CD2A270E30C1B71881BB4E3B00732CE56E5CtrueMicrosoft WindowsValid
11241100x80000000000000002442088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.401{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002442087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.400{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1628BD0D21AF1CCA5CC33F23A4EDD6CE,SHA256=D95C5EE3BC3A3B98079D0B3BBB5FB92E211B56BC564208C712D9DD4519E528F1falsefalse - insufficient disk space
734700x80000000000000002442086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.397{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid
10341000x80000000000000002442085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.395{21761711-83AD-607D-0B00-00000000BB01}6284020C:\Windows\system32\lsass.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.395{21761711-83AD-607D-0B00-00000000BB01}6284020C:\Windows\system32\lsass.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002442083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.395{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid
734700x80000000000000002442082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.394{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid
734700x80000000000000002442081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.336{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid
13241300x80000000000000002442080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.336{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ExcelWorkbookOpenedCountDWORD (0x00000000)
13241300x80000000000000002442079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.336{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ImmersiveWorkbookDirtySentinelDWORD (0x00000000)
13241300x80000000000000002442078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.320{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems\$s4Binary Data
12241200x80000000000000002442077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.320{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
12241200x80000000000000002442076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.320{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency
734700x80000000000000002442075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.320{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AEtrueMicrosoft WindowsValid
734700x80000000000000002442074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.320{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dxgi.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3C32D763740C83DB2C44DEA4B6F18C54,SHA256=ED26DBB9C3656767CA25887CDC3B45CF978AFC75E064FF5457A36C7A69E55223trueMicrosoft WindowsValid
10341000x80000000000000002442073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.320{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.320{21761711-83AD-607D-0C00-00000000BB01}7247892C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002442071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.320{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570trueMicrosoft WindowsValid
734700x80000000000000002442070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.305{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid
10341000x80000000000000002442069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.305{21761711-83AE-607D-1600-00000000BB01}11085200C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.305{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002442067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.305{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid
734700x80000000000000002442066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.305{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\d2d1.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft D2D LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationd2d1MD5=E15A420D82314AF63973D7D0AB3BA2DD,SHA256=C264B2FA1F3E67E558E2671807C06270926EF456F4FF83F1F9859B18184F187EtrueMicrosoft WindowsValid
11241100x80000000000000002442065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.274{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\ADMINI~1\AppData\Local\Temp\2\{2FAC0A15-0B75-42C8-A76C-95AED4D76AD5} - OProcSessId.dat2021-04-22 16:42:58.274
13241300x80000000000000002442064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.274{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000001)
13241300x80000000000000002442063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.274{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-USDWORD (0x00000002)
734700x80000000000000002442062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.272{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid
734700x80000000000000002442061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.271{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msi.dll5.0.14393.4350Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=DEC633243BDCEAD0E3BDDDAFBC933F02,SHA256=FC9AFA9CDD6ECC1194C1532F37AF6FEE9E888DC5D2056BCE0C59538A389FC9DEtrueMicrosoft WindowsValid
13241300x80000000000000002442060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.270{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2744\0Binary Data
12241200x80000000000000002442059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.270{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2744
734700x80000000000000002442058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.269{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid
13241300x80000000000000002442057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.251{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling\1Binary Data
734700x80000000000000002442056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.251{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BABtrueMicrosoft WindowsValid
734700x80000000000000002442055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1trueMicrosoft WindowsValid
734700x80000000000000002442054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso30win32client.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso30Win32Client.dllMD5=07AC00D96DD2A96C07386BAB1BA8BD63,SHA256=B0A63D4055AFBAAD131972DD9E70E404F2116DB5C09702E8CFC559B468F8CC66trueMicrosoft CorporationValid
734700x80000000000000002442053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid
734700x80000000000000002442052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid
734700x80000000000000002442051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid
734700x80000000000000002442050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\RstrtMgr.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Restart ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRstrtMgr.dllMD5=F14EA4521A8C000F1165581B5837355E,SHA256=6CB383C1FFB8AB7301B1666EEA83FD484EA049147C834725894652DB20D28359trueMicrosoft WindowsValid
734700x80000000000000002442049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.236{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid
734700x80000000000000002442048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Mso20win32client.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMso20Win32Client.dllMD5=8A534D2BDBC58D598A4C5624D016AB73,SHA256=A98B2C3A5DD863A639B2ABA879911B0DC1FFB51980F4E3831332CB40CA6B7324trueMicrosoft CorporationValid
12241200x80000000000000002442047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Office\ClickToRun
12241200x80000000000000002442046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Office
12241200x80000000000000002442045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft
12241200x80000000000000002442044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE
10341000x80000000000000002442043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.220{21761711-85CB-607D-5301-00000000BB01}70087784C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4c224|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4dd30|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+584fe|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+57f5f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+56e48|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.205{21761711-85CB-607D-5301-00000000BB01}70087784C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1438C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+73c87|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+7522e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+14519|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a430|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c
10341000x80000000000000002442041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.205{21761711-85CB-607D-5301-00000000BB01}70087784C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+2d73e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+16070|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+15184|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+17233|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a40c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac
13241300x80000000000000002442040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.205{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListExBinary Data
13241300x80000000000000002442039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.205{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\MRUListExBinary Data
13241300x80000000000000002442038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.205{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\2Binary Data
13241300x80000000000000002442037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.205{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\20Binary Data
11241100x80000000000000002442036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\5952598816096256.lnk2021-04-22 16:42:58.189
12241200x80000000000000002442035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder
12241200x80000000000000002442034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
13241300x80000000000000002442033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data
13241300x80000000000000002442032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.xlsm\MRUListExBinary Data
13241300x80000000000000002442031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.xlsm\2Binary Data
13241300x80000000000000002442030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\19Binary Data
11241100x80000000000000002442029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\document-752139500.xlsm.lnk2021-04-22 16:42:58.189
12241200x80000000000000002442028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.xlsm
12241200x80000000000000002442027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
12241200x80000000000000002442026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
12241200x80000000000000002442025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{bd98497a-0000-0000-0000-100000000000}
12241200x80000000000000002442024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithList
12241200x80000000000000002442023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\RegisteredApplications
12241200x80000000000000002442022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\RegisteredApplications
13241300x80000000000000002442021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data
12241200x80000000000000002442020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids
12241200x80000000000000002442019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
12241200x80000000000000002442018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.189{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{bd98497a-0000-0000-0000-100000000000}
10341000x80000000000000002442017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.189{21761711-85CB-607D-5301-00000000BB01}70087784C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+976c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
12241200x80000000000000002442016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKLM\SOFTWARE\Microsoft\Office\Common
734700x80000000000000002442015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid
12241200x80000000000000002442014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess
13241300x80000000000000002442013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\PointsBinary Data
13241300x80000000000000002442012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\LastAccessedTimeQWORD (0x00000000-0x00000000)
13241300x80000000000000002442011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\DisplayNamedocument-752139500.xlsm
13241300x80000000000000002442010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\PathC:\Users\Administrator\Desktop\5952598816096256\document-752139500.xlsm
13241300x80000000000000002442009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\TypeDWORD (0x00000000)
12241200x80000000000000002442008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}
12241200x80000000000000002442007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems
734700x80000000000000002442006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\userenv.dll10.0.14393.3986 (rs1_release.201002-1707)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=047D26DCED07A10913C3E7C3A7502BED,SHA256=143C661F79AC6BB271452A10C2A19F6B1AAAAE43B4062B6CFF173F7D8ABC40FEtrueMicrosoft WindowsValid
12241200x80000000000000002442005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
734700x80000000000000002442004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid
12241200x80000000000000002442003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps
734700x80000000000000002442002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid
734700x80000000000000002442001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid
734700x80000000000000002442000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid
734700x80000000000000002441999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid
12241200x80000000000000002441998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess
734700x80000000000000002441997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\windows.storage.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=902EBA937960538CA5B7A586EAFE47EE,SHA256=0C5D100EFA1E51C36C0A6E4B35BFD09C3098616EE9B3E46DC49E9E1A8365A0DFtrueMicrosoft WindowsValid
13241300x80000000000000002441996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.EXCEL.EXE.15QWORD (0x01d73796-0x8d0c589d)
12241200x80000000000000002441995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData
734700x80000000000000002441994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\Office16\msvcp140.dll14.24.28127.4 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=A1D30EF2114E18E26E2BB96555BE81BF,SHA256=F87819AE8C6F7C90D3237A1ABB9809E8CBA9DCD0C80AC3F0969A5E68EF652CA4trueMicrosoft CorporationValid
734700x80000000000000002441993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid
734700x80000000000000002441992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140.dll14.24.28127.4 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=23105A395B807D9335219958B4D0CEC1,SHA256=61832990E364DCA5BFA2C61D930F00ACAAE6D1AAA3130392403455AE9A1125A5trueMicrosoft CorporationValid
734700x80000000000000002441991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\Office16\vcruntime140_1.dll14.24.28127.4 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=9040ED0FDF4CE7558CBFFB73D4C17761,SHA256=6CC4315DACEB0522816C60678344466CB452426267F70C7FAAE925361674E774trueMicrosoft CorporationValid
734700x80000000000000002441990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid
13241300x80000000000000002441989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{6EC1369A-F7D0-4F29-9B44-3068C543FDB6}\LaunchCountDWORD (0x00000005)
13241300x80000000000000002441988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{6EC1369A-F7D0-4F29-9B44-3068C543FDB6}\LastAccessedTimeQWORD (0x01d73796-0x8d0adb40)
734700x80000000000000002441987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\shell32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=E6D716FCDD7A5E7897267CDCED7D3EA3,SHA256=763990AA9286C3D945B6F0D617D3EB22CE88804AC3847F27A90509F813D77FD3trueMicrosoft WindowsValid
734700x80000000000000002441986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid
12241200x80000000000000002441985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps
734700x80000000000000002441984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid
734700x80000000000000002441983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid
734700x80000000000000002441982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid
734700x80000000000000002441981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid
734700x80000000000000002441980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid
734700x80000000000000002441979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid
734700x80000000000000002441978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid
12241200x80000000000000002441977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.173{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess
734700x80000000000000002441976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft Corporationc2r64.dllMD5=987063E093C30254D80F6B8C2F4A5EEF,SHA256=BBD8531183283BC434943EF126723E75AC7ED7DE9DC87260C47C66B9615F4C11trueMicrosoft CorporationValid
734700x80000000000000002441975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid
734700x80000000000000002441974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid
734700x80000000000000002441973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
734700x80000000000000002441972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid
734700x80000000000000002441971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll5.2.166.0AppVIsvSubsystems64Microsoft Application Virtualization (App-V)Microsoft CorporationAppVIsvSubsystems64.dllMD5=645BAECF733FD3E637C358C502FDAE1A,SHA256=BD56679E80DF33BC3F9B3B6435E5CC06DB953DF18EB4CF2FD13C094975314714trueMicrosoft CorporationValid
734700x80000000000000002441970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.173{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid
12241200x80000000000000002441969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.169{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithList
12241200x80000000000000002441968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.169{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\RegisteredApplications
12241200x80000000000000002441967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.169{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\RegisteredApplications
13241300x80000000000000002441966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.169{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data
12241200x80000000000000002441965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.169{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids
13241300x80000000000000002441964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.167{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithList\MRULista
12241200x80000000000000002441963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.167{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithList
13241300x80000000000000002441962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.166{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\MuiCache\104\52C64B7E\LanguageListBinary Data
13241300x80000000000000002441961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.165{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{6EC1369A-F7D0-4F29-9B44-3068C543FDB6}\LaunchCountDWORD (0x00000005)
13241300x80000000000000002441960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.165{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{6EC1369A-F7D0-4F29-9B44-3068C543FDB6}\LastAccessedTimeQWORD (0x01d73796-0x8d0adb40)
734700x80000000000000002441959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.165{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid
12241200x80000000000000002441958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.165{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps
734700x80000000000000002441957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.165{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid
13241300x80000000000000002441956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.165{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data
13241300x80000000000000002441955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.165{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{6Q809377-6NS0-444O-8957-N3773S02200R}\Zvpebfbsg Bssvpr\Ebbg\Bssvpr16\RKPRY.RKRBinary Data
12241200x80000000000000002441954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.164{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002441953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.164{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid
12241200x80000000000000002441952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.164{21761711-83AE-607D-1200-00000000BB01}304C:\Windows\System32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
10341000x80000000000000002441951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.163{21761711-83AE-607D-1200-00000000BB01}304684C:\Windows\System32\svchost.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002441950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.163{21761711-83AE-607D-1200-00000000BB01}304684C:\Windows\System32\svchost.exe{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002441949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.161{21761711-84C5-607D-E100-00000000BB01}32203160C:\Windows\system32\csrss.exe{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000002441948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.161{21761711-84C9-607D-F200-00000000BB01}37842660C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+18d18c|C:\Windows\System32\SHELL32.dll+18cee3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000002441947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.686{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE16.0.13127.21506Microsoft ExcelMicrosoft OfficeMicrosoft CorporationExcel.exe"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Administrator\Desktop\5952598816096256\document-752139500.xlsm"C:\Users\Administrator\Desktop\5952598816096256\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=E9DCD26B4206A2A38CFC5BA4A32D1BEE,SHA256=DB9091C29D475071EF9C0F5794C33733A979E6528B5714B52F330F57011EFCCD{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\explorer.exeC:\Windows\Explorer.EXE
354300x80000000000000001527574Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:54.125{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal49860-
354300x80000000000000001527573Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:54.085{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal64211-
23542300x80000000000000001527572Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:59.689{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE4D6EC05AF586312FA962EA73DCCEC5,SHA256=A11CF6544738B1B4099A1501320EE8DBCD66FBEEA61FCABE2A57D86A4E6B4E8F,IMPHASH=00000000000000000000000000000000falsetrue
12241200x80000000000000002443822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
734700x80000000000000002443820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.188{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=9B2DCFE11EEBDDC18A8F5964E04E64A0,SHA256=5CBC5B45B9EB5B4EF1360005CD675D20D7EE9FE588DA24543FF7C9ACB88317FFtrueMicrosoft WindowsValid
12241200x80000000000000002443819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.636{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
734700x80000000000000002443793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.157{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\D3DCompiler_47.dll10.0.14393.3930 (rs1_release.200901-1914)Direct3D HLSL CompilerMicrosoft® Windows® Operating SystemMicrosoft Corporationd3dcompiler_47.dllMD5=6C441F5AD6724D68B27D9928C6C1170D,SHA256=EEA0AE3BDCEF59AF62F471E90C489044B8DB55BFF6377231E002A70AB1F8CF73trueMicrosoft WindowsValid
12241200x80000000000000002443792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.621{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
11241100x80000000000000002443770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.589{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002443769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.589{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6864E9ABD0D9C6D4877D0F9A139C5E0A,SHA256=FB320FF7D14C9FBBF403581D37D92673E3A7C22180BC53CF420B0887CD8EDE50falsefalse - insufficient disk space
12241200x80000000000000002443768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002443763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\cscapi.dll10.0.14393.0 (rs1_release.160715-1616)Offline Files Win32 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcscapi.dllMD5=6433F8201BFB449DC6B47F6999C2F164,SHA256=06729F1E0A0596620B48B6DC4A2CC9CC5FE55B17BD488C71F7F15AA4262C8C14trueMicrosoft WindowsValid
12241200x80000000000000002443762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
734700x80000000000000002443737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ntshrui.dll10.0.14393.4169 (rs1_release.210107-1130)Shell extensions for sharingMicrosoft® Windows® Operating SystemMicrosoft Corporationntshrui.dllMD5=E996A5D4EA7754FF1B0411F0B1664603,SHA256=B2DA0AC549C551A2CAF0714EF3B344C33943292FB1FA9F2EEFA706B6FF18F1A2trueMicrosoft WindowsValid
12241200x80000000000000002443736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.574{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002443709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.988{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\linkinfo.dll10.0.14393.0 (rs1_release.160715-1616)Windows Volume TrackingMicrosoft® Windows® Operating SystemMicrosoft CorporationLINKINFO.DLLMD5=4CE9B67A187310E37E535FC4165E0933,SHA256=469B33A5DDAA93D28F66AE6D6956268F6F2F09F146734D00A931FBDD1D87DE42trueMicrosoft WindowsValid
12241200x80000000000000002443708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002443680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.872{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\hlink.dll10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Microsoft Office 2000 componentMicrosoft® Windows® Operating SystemMicrosoft Corporationhlink.dllMD5=FD7A5F4DF14E2D70CE268E22C5A56650,SHA256=E159200E7E4F627FDCF37230F12412B45C18FB1D3EFB1D3F06B4FE1BAA205351trueMicrosoft WindowsValid
12241200x80000000000000002443679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
10341000x80000000000000001527571Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:59.577{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527570Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:59.577{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
12241200x80000000000000002443664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.558{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
11241100x80000000000000002443661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.556{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002443660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.556{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB04A64C71154B59B9C03EC042CEC87C,SHA256=3B431C75D26BE623281CE35EBD91D1DF22C6B3AA66192FD4BE6937384A52C1A3falsefalse - insufficient disk space
12241200x80000000000000002443659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.556{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.553{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.553{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002443651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.851{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7EtrueMicrosoft WindowsValid
12241200x80000000000000002443650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.552{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
734700x80000000000000002443629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.834{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSPTLS.DLL16.0.13127.20164Microsoft Office componentMicrosoft OfficeMicrosoft Corporationmsptls.dllMD5=1BAB8E8FA116706ECB69AEAEA58277CB,SHA256=C7F3FE053C22DB4CE9F35B15F21A128DAEAED296B75D40B68D1F60E341F81E9EtrueMicrosoft CorporationValid
12241200x80000000000000002443628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.536{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002443603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.819{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\usp10.dll10.0.14393.3321 (rs1_release.191016-1811)Uniscribe Unicode script processorMicrosoft® Windows® Operating SystemMicrosoft CorporationUSP10.DLLMD5=ACF31D492FD578C0374EB20CC393BE98,SHA256=D49ECA60A94B30DB87CDCEB36F284D273E080E8689E4B0F99D5BD44FFD117A92trueMicrosoft WindowsValid
12241200x80000000000000002443602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002443576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.819{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\d3d10_1core.dll10.0.14393.0 (rs1_release.160715-1616)Direct3D 10.1 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10_1Core.dllMD5=AD41EACFB2A670E17F2C09F8AB06F428,SHA256=208B4CF05936AC21EB0337FB17B1B8F12D778A6E880435C589202457EB0CF73EtrueMicrosoft WindowsValid
12241200x80000000000000002443575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.520{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002443549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.819{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\d3d10_1.dll10.0.14393.0 (rs1_release.160715-1616)Direct3D 10.1 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10_1.dllMD5=9945D52ACD8FED11F0A636F916C4FF16,SHA256=97C5A99ED38F8516133D6B95070C5998BAAE75EAEF730531D91B81FEE4B81D82trueMicrosoft WindowsValid
12241200x80000000000000002443548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002443522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.819{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\directmanipulation.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Direct Manipulation ComponentMicrosoft® Windows® Operating SystemMicrosoft Corporationdirectmanipulation.dllMD5=EA7CE188E0D1E66C361C8B87304EACDE,SHA256=9ADCA2B7554173A0FD8833F65935C151B09A5D790F46E9EC4EE25E9622F1159AtrueMicrosoft WindowsValid
12241200x80000000000000002443521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.505{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002443500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.734{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\Office16\GFX.DLL16.0.13127.21210Microsoft Office GraphicsMicrosoft OfficeMicrosoft CorporationGFX.DLLMD5=668097B2D740561081C0F7A9495457D9,SHA256=7DE7CC50306AD0F6FE3406537092C9F8DC5BBB0FF16E30A55BE3694895FFD293trueMicrosoft CorporationValid
12241200x80000000000000002443499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.489{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002443472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid
12241200x80000000000000002443471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002443445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.703{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid
12241200x80000000000000002443444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002443422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.587{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid
12241200x80000000000000002443421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.458{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
734700x80000000000000002443396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.571{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\twinapi.dll10.0.14393.4169 (rs1_release.210107-1130)twinapiMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.dllMD5=40E4471EAFBC1AB4D40288BF005AB895,SHA256=E93454095918346B3426D55704F02DF6FBB1B840BF969CE619E3F10BA0AC9A44trueMicrosoft WindowsValid
12241200x80000000000000002443395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.457{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.456{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.456{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
11241100x80000000000000002443374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.456{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002443373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.456{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07E3AEC4E13F052993D46236F592DC8,SHA256=F8BC2073EAB9B20AFE8EEE96A3845392F043D8E52CEE9CE652A5E617E89864CBfalsefalse - insufficient disk space
12241200x80000000000000002443372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.454{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002443369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\Office16\OART.DLL16.0.13127.21452Microsoft OfficeArtMicrosoft OfficeMicrosoft CorporationOART.DLLMD5=E5F9D41891CD22C534DCAD478F1545E6,SHA256=5F3D7CC47AF5CD0AFF7E50B41DA24E787ACF70DB163A2678DE648549627C2016trueMicrosoft CorporationValid
12241200x80000000000000002443368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.436{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002443339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.553{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\cryptxml.dll10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)XML DigSig APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptxml.dllMD5=2D8B5120841F9D57D81B417B8033051F,SHA256=10896E3FBB656A1FD76CB636510A8501B12068C653BC27FAA4DD8DC89ED7AE4AtrueMicrosoft WindowsValid
12241200x80000000000000002443338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.358{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
11241100x80000000000000002443320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.357{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002443319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.357{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3832AD8F882031A84CFD7D6C85F8CFF3,SHA256=01D6AD0FA60787EAE5BD6E2EA7E359A98AED8BA6F0A5019C2F67EDB2B13D6630falsefalse - insufficient disk space
12241200x80000000000000002443318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.354{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.353{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.353{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.353{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.353{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.353{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
734700x80000000000000002443308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.546{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\sppsvc.exe10.0.14393.4104 (rs1_release.201202-1742)Microsoft Software Protection Platform ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationsppsvc.exeMD5=CE92D4BEC4DCB1921757E4F2FC121837,SHA256=2ED9F59A4EB534F51C6182FF5E40D9C03A6D4D2454E53F787E79CC8FADA209C7trueMicrosoft WindowsValid
12241200x80000000000000002443307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.352{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002443289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.539{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11trueMicrosoft WindowsValid
12241200x80000000000000002443288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
734700x80000000000000002443266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.535{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmiclnt.dll10.0.14393.0 (rs1_release.160715-1616)WMI Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiclnt.dllMD5=6B61852EDC8F0EB9E555CF5308A1CA67,SHA256=73CBABE06D58CF771AC647C0DE916BD668FEC96A40EDF7283D50C1C7DE07FE08trueMicrosoft WindowsValid
12241200x80000000000000002443265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
11241100x80000000000000002443242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.304{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002443241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.304{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBDD502C7AEDCE67A6496F3F5443F25,SHA256=E88635865F98BB6BBCE388EC02D2F5F79927E0D111B8DC32FC356430F8CCC359falsefalse - insufficient disk space
12241200x80000000000000002443240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002443238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.535{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wmi.dll10.0.14393.0 (rs1_release.160715-1616)WMI DC and DP functionalityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmi.DLLMD5=BECC01CF48016043B5DC3D5477CC08CF,SHA256=449E882DBCD4DD25B8F10CD62623DCB15E5B6375B0699463506EA55886B7B9DAtrueMicrosoft WindowsValid
12241200x80000000000000002443237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.304{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002443208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.530{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2trueMicrosoft WindowsValid
12241200x80000000000000002443207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
734700x80000000000000002443182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.529{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\cimwin32.dll10.0.14393.3297 (rs1_release_1.191001-1045)WMI Win32 ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcimwin32.dllMD5=35C291C2351E11C928195BFD018A972C,SHA256=CC1655A2CD71118C0197A1A96D47E86C74F58AA6D589B55F77D8C1C12C542BA7trueMicrosoft WindowsValid
12241200x80000000000000002443181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.289{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002443154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.526{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid
12241200x80000000000000002443153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.273{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002443127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.507{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ncobjapi.dll10.0.14393.0 (rs1_release.160715-1616)-Microsoft® Windows® Operating SystemMicrosoft CorporationNCObjAPI.DLLMD5=EA51AB4DE69030FC62B5014175D27A88,SHA256=774A8136F6FC789952548DA2A72F2E53E32A33E91C48EA707C1D823058515DABtrueMicrosoft WindowsValid
12241200x80000000000000002443126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
734700x80000000000000002443101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.503{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2trueMicrosoft WindowsValid
12241200x80000000000000002443100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.257{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.255{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.254{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
734700x80000000000000002443074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.474{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wbemcomn.dll10.0.14393.4283 (rs1_release.210303-1802)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=EF7A4C64E4A6F52AEAF20828033ADFF8,SHA256=7108BBAE5B91ED6784BD32547F7BD9DEAD392E47ACAB29DC057AEF7CFB746F3CtrueMicrosoft WindowsValid
12241200x80000000000000002443073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002443070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.507{21761711-A792-6081-7F84-00000000BB01}4884C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4283 (rs1_release.210303-1802)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=EF7A4C64E4A6F52AEAF20828033ADFF8,SHA256=7108BBAE5B91ED6784BD32547F7BD9DEAD392E47ACAB29DC057AEF7CFB746F3CtrueMicrosoft WindowsValid
12241200x80000000000000002443069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.253{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.252{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002443044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.457{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL16.0.13127.21452RichEdit Version 8.0Microsoft OfficeMicrosoft Corporationriched20.dllMD5=5B796D159DCE1E87B9D7FFBD8A21509F,SHA256=ABC949A0289DCFD93A699C460D1783D90194C107925594AE3929068C3E2BA0EAtrueMicrosoft CorporationValid
12241200x80000000000000002443043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.235{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
13241300x80000000000000002443024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Place MRU\Item 2[F00000000][T01D736E37B596050][O00000000]*C:\Users\Administrator\Desktop\
13241300x80000000000000002443023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Place MRU\Item 1[F00000000][T01D737968DABFD40][O00000000]*C:\Users\Administrator\Desktop\5952598816096256\
13241300x80000000000000002443022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\File MRU\Item 4[F00000000][T01D73627FB4A3D50][O00000000]*C:\Users\Administrator\Desktop\details.xls
13241300x80000000000000002443021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\File MRU\Item 3[F00000000][T01D736C937B0D0A0][O00000000]*C:\Users\Administrator\Desktop\cs.xlsm
13241300x80000000000000002443020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\File MRU\Item 2[F00000000][T01D736E37B596050][O00000000]*C:\Users\Administrator\Desktop\d5fc0f0e4c95364441a7279f14b5d30add545cd2f9b4c11447bcbd0de5e830d4.xlsm
13241300x80000000000000002443019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.220{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\File MRU\Item 1[F00000000][T01D737968DABFD40][O00000000]*C:\Users\Administrator\Desktop\5952598816096256\document-752139500.xlsm
12241200x80000000000000002443018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
734700x80000000000000002443015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.447{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL16.0.13127.21210Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMsoAria.dllMD5=075F94DBD44477623CA2629F67A28C63,SHA256=7E32AD6955265A798568940B30EEE08891972809507272665314555D06632E83trueMicrosoft CorporationValid
12241200x80000000000000002443014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
11241100x80000000000000002442993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.204{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002442992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.204{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE30D99520C460717F441D745A2A640,SHA256=273AAB29ADDAD21B898B1395C6421325D3406B80402AC9D9959DF860CEC157B2falsefalse - insufficient disk space
12241200x80000000000000002442991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
734700x80000000000000002442988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.443{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\DWrite.dll10.0.14393.4225 (rs1_release.210127-1811)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=BB0ECCB8A72B5926A58433666145D459,SHA256=9C082B0EF00A6E174062634F0421B1179D27BC9077A5C0B1FEB2AA74DBAC2E68trueMicrosoft WindowsValid
12241200x80000000000000002442987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.204{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.188{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
10341000x80000000000000002442965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.188{21761711-A791-6081-7E84-00000000BB01}27442200C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdd53|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdcf3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdc66|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bd60d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+61c0d|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+ab025|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+5deac|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e279|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002442964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.173{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227
23542300x80000000000000002442963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.173{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EBAC73DE9072EE017282D3B992793D06,SHA256=18F3B2D824EED167FB312E003C16029B1476C0539A9F6EE6C2603D0ED9E3D133falsefalse - insufficient disk space
11241100x80000000000000002442962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.173{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227
23542300x80000000000000002442961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.173{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D4CF08D51E933FD7A4EE468F4F35B113,SHA256=93C9A62708576B95E39B16121FF1B49076B151770F0E7D370879276BE198F161falsefalse - insufficient disk space
12241200x80000000000000002442960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002442954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.421{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\dsreg.dll10.0.14393.4225 (rs1_release.210127-1811)AD/AAD User Device RegistrationMicrosoft® Windows® Operating SystemMicrosoft Corporationdsreg.dllMD5=A9077C17AA04BDD1DBEDD357767E704F,SHA256=E9599D4BA5469F080CEEE8CEFB2DF979B69DA3349EAD3B2CCF12B15D15955E60trueMicrosoft WindowsValid
12241200x80000000000000002442953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.173{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002442927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.420{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid
12241200x80000000000000002442926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
734700x80000000000000002442904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.418{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid
12241200x80000000000000002442903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.157{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.156{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
11241100x80000000000000002442881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.155{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725
23542300x80000000000000002442880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.155{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=70BA583FAB70A2ED0B7076DEF9AA334F,SHA256=56EA39B722216C65ECBE531B527BFC36ADF7C13C69A2B4180A07EAADB8A342FFfalsefalse - insufficient disk space
12241200x80000000000000002442879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.152{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.151{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.151{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.151{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.151{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002442872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.398{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\Windows.Security.Authentication.Web.Core.dll10.0.14393.4169 (rs1_release.210107-1130)Token Broker WinRT APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Security.Authentication.Web.Core.dllMD5=E3AB65431FF6EA142FECF301220904D0,SHA256=60F168A317109BA364699F1FA1A2DDD8E5B0008A16CD7F1DB80583848DFCA7CFtrueMicrosoft WindowsValid
12241200x80000000000000002442871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002442847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.394{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9DtrueMicrosoft WindowsValid
12241200x80000000000000002442846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.135{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002442822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.372{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\d3d11.dll10.0.14393.4169 (rs1_release.210107-1130)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=EDCE49E7FDE3BD70DF70F05B8C47ACD4,SHA256=864EC8827EB03CDF7F2FC5E318283A7835E600CE548590C59E1DCF8BF8112089trueMicrosoft WindowsValid
12241200x80000000000000002442821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.104{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
11241100x80000000000000002442801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.104{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002442800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.104{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF247E540B979C0377CB2EE601319D9,SHA256=0353CF7531E447C1F6BFB5FDEBB55F5B929F6A9D3E39C8CE22EBFE03CC6AC300falsefalse - insufficient disk space
10341000x80000000000000002442799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.088{21761711-A791-6081-7E84-00000000BB01}27442200C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdd53|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdcf3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bdc66|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+bd60d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+61c0d|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+ab025|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+5deac|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e279|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
13241300x80000000000000002442798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.088{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2744\0Binary Data
13241300x80000000000000002442797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:59.088{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\2744\0Binary Data
12241200x80000000000000002442796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Office\Common
12241200x80000000000000002442795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002442791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.305{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid
12241200x80000000000000002442790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002442788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.555{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid
12241200x80000000000000002442787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002442768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002442765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.305{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid
12241200x80000000000000002442764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002442762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.552{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid
12241200x80000000000000002442761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.088{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002442742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.251{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL16.0.13127.21452Microsoft Office componentMicrosoft OfficeMicrosoft CorporationMSO.dllMD5=4FB7C52B5A56E2A4A47B8A9D0B94C274,SHA256=31D782B41576C93F0D440D2797EEA97C2C452E27C2119220DB3B9E37378D1AF4trueMicrosoft CorporationValid
12241200x80000000000000002442741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002442740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002442739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002442738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002442736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002442722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002442721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002442720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002442719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.072{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
11241100x80000000000000002442718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.054{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002442717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.053{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359CB2090B6B7AA57943F301EAA12F58,SHA256=11D86E7768F0FE12928364EA1B5FC497E08A71B27947BE31C28C763D6C92C2ACfalsefalse - insufficient disk space
11241100x80000000000000002442716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.051{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725
23542300x80000000000000002442715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.051{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3CFD24A96A4EC33D8B85FF300683AF6C,SHA256=9D2C11A0D17F13C22397485D9DC231B1E7DB8A4F617FBA1DDDF5E78AFE30D629falsefalse - insufficient disk space
12241200x80000000000000002442714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.019{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
12241200x80000000000000002442713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.019{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{bd98497a-0000-0000-0000-100000000000}
12241200x80000000000000002442712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.019{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
12241200x80000000000000002442711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.019{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{bd98497a-0000-0000-0000-100000000000}
10341000x80000000000000002442710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4
10341000x80000000000000002442707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4
10341000x80000000000000002442703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738fc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002442702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\document-752139500.xlsm.LNK2021-04-22 16:42:58.988
23542300x80000000000000002442701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}2744WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\document-752139500.xlsm.LNKMD5=A80FAA827A40AC1510AC3D80C782EFA9,SHA256=064BEC24ABD6A625A80C4B52ABEFA149A8FE6C025126CCB5B5869876BCD5D54Ffalsefalse - insufficient disk space
23542300x80000000000000002442700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}2744WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\d5fc0f0e4c95364441a7279f14b5d30add545cd2f9b4c11447bcbd0de5e830d4.xlsm.LNKMD5=A2805C655AE4B1059A1CA9727BC43F52,SHA256=A1A23B6D57EBC104522416887339213343923A1B00E150641C86892945168691falsefalse - insufficient disk space
10341000x80000000000000002442699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4
10341000x80000000000000002442696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dbaa2|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4
10341000x80000000000000002442692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+171086|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002442690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4
10341000x80000000000000002442689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:59.003{21761711-A791-6081-7E84-00000000BB01}27445272C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+3dba90|C:\Windows\System32\windows.storage.dll+3d915b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174410|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173a6a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1738d5|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175791|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+70dbc|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12f86d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b838c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b81ab|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b641e|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc358|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
12241200x80000000000000002442688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:59.003{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess
13241300x80000000000000002442687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.988{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\PointsBinary Data
13241300x80000000000000002442686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.988{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\LastAccessedTimeQWORD (0x00000000-0x00000000)
13241300x80000000000000002442685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.988{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\TypeDWORD (0x00000000)
12241200x80000000000000002442684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.988{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems
13241300x80000000000000002442683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:42:58.988{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.EXCEL.EXE.15QWORD (0x01d73796-0x8d88a3d9)
12241200x80000000000000002442682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.988{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps
12241200x80000000000000002442681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:42:58.988{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData
10341000x80000000000000001527579Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:00.862{761B69BB-818C-607D-0D00-00000000BA01}9045276C:\Windows\system32\svchost.exe{761B69BB-84D2-607D-F802-00000000BA01}1484C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527578Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:00.698{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C272B3E54F49858AB2EDA0B06BCD899,SHA256=8842747AE91622619839222ADAA3BEEAAB5947D4D66FAA9B8AB10D3DF8E76EBF,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000002443830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:00.839{21761711-83AE-607D-0D00-00000000BB01}7925480C:\Windows\system32\svchost.exe{21761711-84C8-607D-EA00-00000000BB01}3720C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002443829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:00.692{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002443828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:00.692{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C52611751EEABBF136FC8EE884B157E,SHA256=0E54F3659A6945BCDB62080E6232858E7E878BFD86714F522F9D7FB7917DC07Afalsefalse - insufficient disk space
354300x80000000000000002443827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.023{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local49261-false173.222.228.212a173-222-228-212.deploy.static.akamaitechnologies.com443https
354300x80000000000000002443826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.980{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local49260-false52.113.194.132-443https
354300x80000000000000002443825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:57.697{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49259-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
22542200x80000000000000002443824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.376{21761711-A791-6081-7E84-00000000BB01}2744support.content.office.net0type: 5 support.content.office.net.edgekey.net;type: 5 e584.g.akamaiedge.net;::ffff:173.222.228.212;C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
22542200x80000000000000002443823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:42:58.328{21761711-A791-6081-7E84-00000000BB01}2744ecs.office.com0type: 5 ecs.office.trafficmanager.net;type: 5 s-0005-office.config.skype.com;type: 5 ecs-office.s-0005.s-msedge.net;type: 5 s-0005.s-msedge.net;::ffff:52.113.194.132;C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
10341000x80000000000000001527577Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:00.578{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527576Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:00.578{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527575Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:00.107{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF32B7503A2E36BE0F8773D3D5F731C3,SHA256=BE180D12B73B69270DDC6F71607483C585B5557C8CB1D44EAB5584D09ACDADCA,IMPHASH=00000000000000000000000000000000falsetrue
13241300x80000000000000002444042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:01.911{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data
13241300x80000000000000002444041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:01.911{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data
11241100x80000000000000002444040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.659{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.659{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55309B14A9F2DA2A304404EA7C47CD1C,SHA256=64C1622ED388D256CA2175A3A4B22D248551ADFEA7325336D1710781FB71F1C0falsefalse - insufficient disk space
10341000x80000000000000001527601Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.865{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A795-6081-1183-00000000BA01}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527600Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.863{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527599Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.863{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527598Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.863{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527597Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.863{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527596Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.862{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-A795-6081-1183-00000000BA01}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000001527595Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.862{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A795-6081-1183-00000000BA01}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000001527594Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.862{761B69BB-A795-6081-1183-00000000BA01}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x80000000000000001527593Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:55.772{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1051-false10.0.1.12-8000-
23542300x80000000000000001527592Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.712{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FA823D9DC3A790912B40A89E7A71C6,SHA256=6372A73A604FD7F940727332950FEA3796E006BD90E150B89217DF22AFE37776,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527591Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.579{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527590Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.579{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527589Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.322{761B69BB-A795-6081-1083-00000000BA01}67361364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527588Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.185{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A795-6081-1083-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527587Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.183{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527586Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.183{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527585Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.183{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527584Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.183{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527583Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.182{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-A795-6081-1083-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000001527582Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.182{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A795-6081-1083-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000001527581Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.182{761B69BB-A795-6081-1083-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x80000000000000001527580Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.182{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72E1F34B3B8B532BBB995786CA37E0F7,SHA256=4E975024B5D76C5F4675BEF03C10AAC184A449F666AC7AA391AB5F798585A6BF,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.309{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.309{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5251B9F939492EBE8F47AB5146B94836,SHA256=D5A2B592BE7638E88559DC7C9FC12CC7CAD4E30DA5399543D64EB82737414BCFfalsefalse - insufficient disk space
12241200x80000000000000002444036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002444035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002444034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002444033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002444031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.259{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid
12241200x80000000000000002444030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002444011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002444010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002444009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002444008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid
12241200x80000000000000002444007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002443982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid
12241200x80000000000000002443981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.278{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002443956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid
12241200x80000000000000002443955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002443931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid
12241200x80000000000000002443930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
13241300x80000000000000002443912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:01.262{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data
13241300x80000000000000002443911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:01.262{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data
12241200x80000000000000002443910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
13241300x80000000000000002443909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:01.262{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListExBinary Data
13241300x80000000000000002443908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:01.262{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotsBinary Data
12241200x80000000000000002443907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.262{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
12241200x80000000000000002443906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.261{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002443905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.260{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid
12241200x80000000000000002443904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002443901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002443899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.260{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid
12241200x80000000000000002443898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
734700x80000000000000002443894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid
12241200x80000000000000002443893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
734700x80000000000000002443888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.260{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid
12241200x80000000000000002443887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.260{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.259{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
734700x80000000000000002443878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.258{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=C146766884A92B154F2EB38463F2263D,SHA256=48C5CC7760187EDB140A904D3AC5FD24F740973CDBA07962047859F84E7BEB9CtrueMicrosoft WindowsValid
10341000x80000000000000002443877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.256{21761711-83AE-607D-1600-00000000BB01}11087656C:\Windows\system32\svchost.exe{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002443876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.256{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002443875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.256{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid
734700x80000000000000002443874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid
12241200x80000000000000002443873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002443872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002443871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002443870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002443869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid
12241200x80000000000000002443868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002443866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002443852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002443851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002443850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002443849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
734700x80000000000000002443848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid
10341000x80000000000000002443847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-83AD-607D-0C00-00000000BB01}7246740C:\Windows\system32\svchost.exe{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
12241200x80000000000000002443846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.240{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002443845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid
734700x80000000000000002443844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid
734700x80000000000000002443843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid
734700x80000000000000002443842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid
734700x80000000000000002443841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
10341000x80000000000000002443840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-84C5-607D-E100-00000000BB01}32202520C:\Windows\system32\csrss.exe{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f
734700x80000000000000002443839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid
734700x80000000000000002443838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid
734700x80000000000000002443837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid
734700x80000000000000002443836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164EtrueMicrosoft WindowsValid
10341000x80000000000000002443835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000002443834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.240{21761711-83AD-607D-0C00-00000000BB01}7246740C:\Windows\system32\svchost.exe{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000002443833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:01.230{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E{21761711-83AD-607D-0C00-00000000BB01}724C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch
12241200x80000000000000002443832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.209{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders
12241200x80000000000000002443831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:01.209{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
11241100x80000000000000002444055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.697{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.697{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2842BD9FE58844D6C948E4B607A0C82,SHA256=DA8426838AD172C32947EB2DC1276C321DB412336BDCF91B21949B36F5407C71falsefalse - insufficient disk space
23542300x80000000000000001527614Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.721{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49E1AEEA436C9497B6B41FB6B634619,SHA256=0AAAE1E04AC550E317F42E0614F0CACD204804E97D0FAF47E30481C32F0E1FA5,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.262{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.262{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=922A05CA381506F4DF88E2034B3A70D6,SHA256=A44CC070217AE5C2427F150119D6B3CB44D25D0F352CD0AAF878DA6AC72B1E9Dfalsefalse - insufficient disk space
11241100x80000000000000002444051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.162{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725
23542300x80000000000000002444050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.161{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A6F22B82574D2126947A61D127A15771,SHA256=9AC297926DB32442017957D491FD402A67E9BC59F2EC3B1C6002D5C5E45198DCfalsefalse - insufficient disk space
11241100x80000000000000002444049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.080{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725
23542300x80000000000000002444048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.080{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=76EE65AAAA6B1CEBC7978EF65289E58E,SHA256=DF1DDB5D080BC2E4BD0D9BA0FBE8236F87D48733278246F8ED0DAC82D170C5EEfalsefalse - insufficient disk space
13241300x80000000000000002444047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:02.080{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001905F4\VirtualDesktopBinary Data
12241200x80000000000000002444046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:02.080{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001905F4
13241300x80000000000000002444045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:02.011{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data
13241300x80000000000000002444044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:02.011{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data
10341000x80000000000000002444043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:02.011{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527613Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.676{761B69BB-A796-6081-1283-00000000BA01}9763520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527612Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.580{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527611Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.580{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527610Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.531{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A796-6081-1283-00000000BA01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527609Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.529{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527608Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.529{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527607Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.529{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527606Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.529{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527605Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.528{761B69BB-818A-607D-0500-00000000BA01}408532C:\Windows\system32\csrss.exe{761B69BB-A796-6081-1283-00000000BA01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000001527604Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.528{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A796-6081-1283-00000000BA01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000001527603Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.528{761B69BB-A796-6081-1283-00000000BA01}976C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x80000000000000001527602Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.188{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F44CB0DB0919605A0195002ABE32BFE1,SHA256=61EB25A110A43E8F15DB54E50D4BB4845D62D11234CD410E72642EEC83ACBAB7,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444082Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.985{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3CB7099F3F3BE6FC6E0116AE50E002F02021-04-22 16:43:03.985
11241100x80000000000000002444081Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.985{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3CB7099F3F3BE6FC6E0116AE50E002F02021-04-22 16:43:03.985
734700x80000000000000002444080Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.931{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid
734700x80000000000000002444079Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.916{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\wintrust.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=D8CD8451D1E194230F18866AD6EFE5E7,SHA256=9977AA1287962035C24DF806DDA67F09FFE9BDF696DBA507D749C624AE1C178DtrueMicrosoft WindowsValid
13241300x80000000000000002444078Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:03.916{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\BlobBinary Data
12241200x80000000000000002444077Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.916{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
12241200x80000000000000002444076Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.916{21761711-83AD-607D-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
13241300x80000000000000002444075Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:03.746{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ExcelWorkbookOpenedCountDWORD (0x00000002)
13241300x80000000000000002444074Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:03.731{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ExcelWorkbookAutoRecoverDirtyDWORD (0x00000001)
13241300x80000000000000002444073Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:03.731{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\ImmersiveWorkbookDirtySentinelDWORD (0x00000001)
11241100x80000000000000002444072Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.731{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444071Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.731{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E332196F49A77634D34166D1BADD94E3,SHA256=7B2E1F91B741DBBB029F86E2ECE31F3038B94FA69F1DF8293088CB562FF616BBfalsefalse - insufficient disk space
23542300x80000000000000001527618Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:03.727{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704200A54C03B2E6069ED51767E7D991,SHA256=2AC585B7D9BAD00BB13E4000E4B80317FAD2A28634B6010498B9EBD34D875AA6,IMPHASH=00000000000000000000000000000000falsetrue
13241300x80000000000000002444070Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities1329 50,1329 10,941 10,1329 15,941 15,1329 100,941 6,1329 6
13241300x80000000000000002444069Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds05804129,17102418,7202269,41484365,17110988,7153487,39965824,595174594,593359442,17962391,17962392,17110992,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617
12241200x80000000000000002444068Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor
12241200x80000000000000002444067Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe
12241200x80000000000000002444066Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata
12241200x80000000000000002444065Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry
12241200x80000000000000002444064Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common
12241200x80000000000000002444063Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0
12241200x80000000000000002444062Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office
12241200x80000000000000002444061Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft
12241200x80000000000000002444060Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software
12241200x80000000000000002444059Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe
12241200x80000000000000002444058Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor
12241200x80000000000000002444057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:03.615{21761711-85CB-607D-5301-00000000BB01}7008C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKU\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe
734700x80000000000000002444056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.483{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\Windows.Networking.Connectivity.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Networking Connectivity Runtime DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Networking.Connectivity.dllMD5=7934F613774F04B5BFD097B3D77F81FB,SHA256=E1A32AADFED0859269C89D4E1C961D3BC8EA2A5FA86487C9817BB52899E0F60EtrueMicrosoft WindowsValid
10341000x80000000000000001527617Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:03.581{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527616Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:03.581{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527615Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:03.274{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5134DAAAC04B89609BD1D6881F5D4A3F,SHA256=E600D4DC7AC3B40F1163FFFBE8A9B9FB4A651A442A995FBEDB2BC902BE859A09,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444091Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.749{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444090Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.749{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A1C9B4AB3AF74DBD9D69789AC131A9,SHA256=FA0F06A1E2690DF9520E8A757F023AD7A54C0D9F590ADB90AE1BC8DFA87C2056falsefalse - insufficient disk space
11241100x80000000000000002444089Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.749{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444088Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.749{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B9901826BACD2D035206F19D36ED49E,SHA256=14F4D7D4B0C9C3B133F0F44E41C1E7552B4B24BC403804F4EB9B298D0C43B575falsefalse - insufficient disk space
23542300x80000000000000001527622Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:04.764{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F49CBC7FB41EF943C2D172D7B15D8454,SHA256=C863E8F9E18F5CBF0A78D8CC3239178E991D47FA8085D53B2F4032DE977FAAA3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527621Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:04.742{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0F70C308AC8B32866C90A8DC75C995,SHA256=305C7D940DDF462DBBEA909C9CFC18691232A4744CAB377AE3C9B74000DECB13,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444087Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.586{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DAAF2360741DD059D38484A5BCFFB0E12021-04-22 16:43:04.586
11241100x80000000000000002444086Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.571{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DAAF2360741DD059D38484A5BCFFB0E12021-04-22 16:43:04.571
10341000x80000000000000002444085Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.448{21761711-83AE-607D-0D00-00000000BB01}7925480C:\Windows\system32\svchost.exe{21761711-A62F-6081-4F84-00000000BB01}5880C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444084Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.448{21761711-83AE-607D-0D00-00000000BB01}7925480C:\Windows\system32\svchost.exe{21761711-A62F-6081-4F84-00000000BB01}5880C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444083Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.448{21761711-83AE-607D-0D00-00000000BB01}7925480C:\Windows\system32\svchost.exe{21761711-83AE-607D-1E00-00000000BB01}1992C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527620Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:04.581{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527619Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:04.581{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527626Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:05.752{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10C13F86BFA025AEBED7D9DBEC7CD9D,SHA256=4341716687F893A1635EDBE73B66FA2E6B7A44B6A009E342BFDF30C224BC3EAF,IMPHASH=00000000000000000000000000000000falsetrue
22542200x80000000000000002444097Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.627{21761711-A791-6081-7E84-00000000BB01}2744abpandh.com0::ffff:162.241.225.246;C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
11241100x80000000000000002444096Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:05.751{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444095Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:05.751{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BE5778025A64007A9091B5049A37CB,SHA256=0E13583CEF12B6C47A37290C49F21D1DB17BA97A4160CBA27E9562009892EFC5falsefalse - insufficient disk space
354300x80000000000000002444094Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.693{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49264-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
354300x80000000000000002444093Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.438{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local49263-false184.25.56.139a184-25-56-139.deploy.static.akamaitechnologies.com80http
354300x80000000000000002444092Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.337{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local49262-false162.241.225.246box5304.bluehost.com443https
10341000x80000000000000001527625Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:05.582{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527624Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:05.582{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x80000000000000001527623Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:58.508{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1052-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https
22542200x80000000000000002444355Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:05.449{21761711-83AE-607D-1D00-00000000BB01}1960246.225.241.162.in-addr.arpa.0type: 12 box5304.bluehost.com;C:\Windows\sysmon64.exe
22542200x80000000000000002444354Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:04.101{21761711-A791-6081-7E84-00000000BB01}2744kamalandcompany.com0::ffff:5.100.155.169;C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
22542200x80000000000000002444353Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.777{21761711-A791-6081-7E84-00000000BB01}2744r3.o.lencr.org0type: 5 o.lencr.edgesuite.net;type: 5 a1887.dscq.akamai.net;::ffff:184.25.56.139;::ffff:184.25.56.131;C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
11241100x80000000000000002444352Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.792{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444351Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.792{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F210CFD6033A25DDE919308D446490D8,SHA256=D6122C8F8CC450DC490CE34D52D803AE9C666DA028A6ED9DC6EF79EC79EA8064falsefalse - insufficient disk space
23542300x80000000000000001527633Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:06.760{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D744C32742B93228BC4168892AF428A9,SHA256=0184470D9A9914BD91AF59692FEC43D552EAD555AB6ACE2619DCF5CE4D792D45,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527632Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:06.583{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527631Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:06.583{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527630Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:06.549{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D226DAEF46F5C4D0B1C61A7443098FE,SHA256=AC3103E2D3B0AA1CEF463A00B46470AEE5A27C831B94314F01D188772C7781CB,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000001527629Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:59.859{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50546-
354300x80000000000000001527628Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:59.535{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal60056-
354300x80000000000000001527627Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:42:59.353{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal60988-
354300x80000000000000002444350Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:03.882{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local49265-false5.100.155.1695.100.155-169.publicdomainregistry.com443https
11241100x80000000000000002444349Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.538{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444348Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.538{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFF1B4F1FDF8744711CC72676E07808B,SHA256=2746F9CA25151A5E406C21960FBB7EDFDE34CCE0F3907770B67A7671B70273BBfalsefalse - insufficient disk space
534500x80000000000000002444347Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.290{21761711-A795-6081-8184-00000000BB01}1136C:\Windows\System32\dllhost.exe
11241100x80000000000000002444346Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.237{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444345Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.237{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9693377404E29ADD18E58D8C3428F74,SHA256=5B152348C3660A753F86D93FF77A05A7C0F03C70E19581CE6473F60E4DE217DAfalsefalse - insufficient disk space
11241100x80000000000000002444344Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.206{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444343Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.206{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F9B4A8D68E3D079DB3EA90C293A5211,SHA256=C49EB7CF4B9E44B23AE5AD81235009EFD7743107230F7417C9D3EC417FE4F731falsefalse - insufficient disk space
12241200x80000000000000002444342Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002444341Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002444340Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002444339Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.121{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=23F499FA8F8E02A8090FB78E80617BDD,SHA256=08C2E505F3765D98379BB88DC8AD5555AB680A691054933FCA1A2CFCDFA42F51trueMicrosoft WindowsValid
12241200x80000000000000002444338Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444337Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444336Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444335Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444334Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444333Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444332Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444331Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444330Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444329Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444328Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444327Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444326Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444325Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444324Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444323Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444322Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444321Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444320Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444319Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444318Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002444317Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.121{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid
12241200x80000000000000002444316Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002444315Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.121{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
13241300x80000000000000002444314Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:06.106{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Office\16.0\Excel\Security\Trusted Documents\TrustRecords\%USERPROFILE%/Desktop/5952598816096256/document-752139500.xlsmBinary Data
10341000x80000000000000002444313Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
13241300x80000000000000002444312Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000)
12241200x80000000000000002444311Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation
10341000x80000000000000002444310Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444309Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444308Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444307Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
13241300x80000000000000002444306Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080438\VirtualDesktopBinary Data
10341000x80000000000000002444305Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
12241200x80000000000000002444304Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080438
10341000x80000000000000002444303Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444302Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444301Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.106{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444300Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid
10341000x80000000000000002444299Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444298Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444297Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444296Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444295Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid
12241200x80000000000000002444294Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002444293Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002444292Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002444291Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444290Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444289Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444288Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444287Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444286Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444285Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444284Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444283Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
734700x80000000000000002444282Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid
12241200x80000000000000002444281Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
734700x80000000000000002444280Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid
12241200x80000000000000002444279Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444278Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444277Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444276Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444275Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444274Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444273Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444272Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
734700x80000000000000002444271Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid
12241200x80000000000000002444270Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444269Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
734700x80000000000000002444268Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid
734700x80000000000000002444267Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid
10341000x80000000000000002444266Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-83AE-607D-1600-00000000BB01}11087656C:\Windows\system32\svchost.exe{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444265Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444264Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid
12241200x80000000000000002444263Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002444262Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.072{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\msctf.dll10.0.14393.4225 (rs1_release.210127-1811)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=1FD254D30743876981194F7E17ECDB6F,SHA256=0CB67AC140097A888B7ED85C9A31F8967D16661B82557CE5D61FA70A85BDF8B8trueMicrosoft WindowsValid
12241200x80000000000000002444261Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002444260Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002444259Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002444258Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444257Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444256Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444255Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444254Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444253Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444252Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444251Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444250Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444249Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444248Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444247Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444246Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444245Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444244Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444243Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444242Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444241Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444240Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444239Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.090{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
734700x80000000000000002444238Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid
734700x80000000000000002444237Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid
734700x80000000000000002444236Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid
734700x80000000000000002444235Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid
734700x80000000000000002444234Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid
734700x80000000000000002444233Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69trueMicrosoft WindowsValid
734700x80000000000000002444232Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid
734700x80000000000000002444231Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid
734700x80000000000000002444230Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.090{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid
734700x80000000000000002444229Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
734700x80000000000000002444228Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid
734700x80000000000000002444227Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid
734700x80000000000000002444226Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid
734700x80000000000000002444225Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid
734700x80000000000000002444224Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid
734700x80000000000000002444223Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667trueMicrosoft WindowsValid
10341000x80000000000000002444222Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C5-607D-E100-00000000BB01}32203160C:\Windows\system32\csrss.exe{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000002444221Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A791-6081-7E84-00000000BB01}27442200C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\SYSTEM32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+441c9|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d253|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e46713|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e4e7af|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+11956d9|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+119e5fc|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+4f8d5|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+1f622c|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+1f87fb|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+150f0dc|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+15163bc|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+14f2cc8|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+14f2338|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+11a73b|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e097a|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+2ffc3c|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+3009f1|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+20ca4b4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+11de4d3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+11de840
154100x80000000000000002444220Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.085{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32 ..\oepddl.igk2,DllRegisterServerC:\Users\Administrator\Documents\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Administrator\Desktop\5952598816096256\document-752139500.xlsm"
12241200x80000000000000002444219Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
13241300x80000000000000002444218Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data
13241300x80000000000000002444217Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data
10341000x80000000000000002444216Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444215Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
13241300x80000000000000002444214Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000)
12241200x80000000000000002444213Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation
10341000x80000000000000002444212Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
12241200x80000000000000002444211Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002444210Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002444209Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002444208Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
10341000x80000000000000002444207Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
12241200x80000000000000002444206Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444205Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444204Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444203Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444202Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
10341000x80000000000000002444201Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444200Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.071{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid
12241200x80000000000000002444199Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444198Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
10341000x80000000000000002444197Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
12241200x80000000000000002444196Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444195Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444194Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
13241300x80000000000000002444193Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C05F4\VirtualDesktopBinary Data
12241200x80000000000000002444192Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C05F4
12241200x80000000000000002444191Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444190Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444189Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444188Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444187Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444186Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444185Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444184Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444183Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
10341000x80000000000000002444182Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37841892C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
12241200x80000000000000002444181Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.074{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
10341000x80000000000000002444180Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444179Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C8-607D-EE00-00000000BB01}32603680C:\Windows\system32\taskhostw.exe{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444178Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid
10341000x80000000000000002444177Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444176Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444175Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444174Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.074{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444173Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.072{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid
734700x80000000000000002444172Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.072{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid
734700x80000000000000002444171Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.072{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid
12241200x80000000000000002444170Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.071{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
10341000x80000000000000002444169Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.071{21761711-83AE-607D-1600-00000000BB01}11087656C:\Windows\system32\svchost.exe{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444168Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.071{21761711-83AE-607D-1600-00000000BB01}11081152C:\Windows\system32\svchost.exe{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
12241200x80000000000000002444167Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.071{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002444166Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002444165Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002444164Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
734700x80000000000000002444163Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69trueMicrosoft WindowsValid
12241200x80000000000000002444162Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444161Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444160Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444159Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444158Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444157Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444156Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444155Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444154Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444153Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444152Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444151Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444150Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444149Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444148Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444147Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444146Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444145Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444144Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444143Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.068{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
734700x80000000000000002444142Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid
12241200x80000000000000002444141Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002444140Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid
12241200x80000000000000002444139Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002444138Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
734700x80000000000000002444137Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid
12241200x80000000000000002444136Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002444135Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444134Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444133Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444132Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444131Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444130Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444129Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444128Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
734700x80000000000000002444127Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid
734700x80000000000000002444126Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667trueMicrosoft WindowsValid
12241200x80000000000000002444125Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444124Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444123Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444122Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444121Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444120Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444119Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
734700x80000000000000002444118Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid
12241200x80000000000000002444117Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444116Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444115Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444114Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444113Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444112Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002444111Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid
734700x80000000000000002444110Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid
734700x80000000000000002444109Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid
734700x80000000000000002444108Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
734700x80000000000000002444107Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid
734700x80000000000000002444106Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid
734700x80000000000000002444105Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid
734700x80000000000000002444104Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid
12241200x80000000000000002444103Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002444102Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:06.052{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002444101Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid
10341000x80000000000000002444100Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-84C5-607D-E100-00000000BB01}32202520C:\Windows\system32\csrss.exe{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000002444099Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.052{21761711-A791-6081-7E84-00000000BB01}27442200C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+441c9|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d253|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e46713|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e4e7af|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+11956d9|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+119e5fc|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+4f8d5|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+1f622c|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+1f87fb|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+150f0dc|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+15163bc|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+14f2cc8|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+14f2338|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+11a73b|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+e097a|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+2ffc3c|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+3009f1|C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE+20ca4b4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+11de4d3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+11de840
154100x80000000000000002444098Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.056{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32 ..\oepddl.igk1,DllRegisterServerC:\Users\Administrator\Documents\WIN-HOST-5\Administrator{21761711-84C7-607D-C8E0-090000000000}0x9e0c82HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Administrator\Desktop\5952598816096256\document-752139500.xlsm"
22542200x80000000000000002444360Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:05.532{21761711-83AE-607D-1D00-00000000BB01}1960139.56.25.184.in-addr.arpa.0type: 12 a184-25-56-139.deploy.static.akamaitechnologies.com;C:\Windows\sysmon64.exe
11241100x80000000000000002444359Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:07.794{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444358Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:07.794{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303D192FD24A70FEE7ACEBC837CDE8B4,SHA256=F694CC8A477F9F39191F36067C265ECB3F7BBC7B6192B028C76420F2F022EEB8falsefalse - insufficient disk space
23542300x80000000000000001527638Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:07.764{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026CD7B6FA3F495EF8DEEF62BA6F4D31,SHA256=A2176781E24F26C217031842A3409DE3C27B859885BD5764C17A5B20FE9C2572,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444357Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:07.540{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444356Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:07.540{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=358D57C7F489D4439F03C4DE99BFE602,SHA256=5CFA868470A9ED00DF2DD6D86312911EF2D16EA2D45F0352B040BF6F4D8248FCfalsefalse - insufficient disk space
10341000x80000000000000001527637Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:07.584{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527636Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:07.584{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x80000000000000001527635Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.133{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal60319-
354300x80000000000000001527634Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.133{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal64544-
22542200x80000000000000002444403Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.402{21761711-83AE-607D-1D00-00000000BB01}1960169.155.100.5.in-addr.arpa.0type: 12 5.100.155-169.publicdomainregistry.com;C:\Windows\sysmon64.exe
354300x80000000000000002444402Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:06.982{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local49266-false23.54.49.175a23-54-49-175.deploy.static.akamaitechnologies.com443https
23542300x80000000000000001527698Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.883{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAE0C56629471D4F9C7130EA9118C87,SHA256=55630AA54DEF87EF0623D7AB45500AE94C4805C2C44C0B4395F0EC445026CD5F,IMPHASH=00000000000000000000000000000000falsetrue
12241200x80000000000000002444401Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.659{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess
13241300x80000000000000002444400Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.659{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\PointsBinary Data
13241300x80000000000000002444399Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.659{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\LastAccessedTimeQWORD (0x00000000-0x00000000)
13241300x80000000000000002444398Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.659{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\TypeDWORD (0x00000000)
12241200x80000000000000002444397Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.659{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems
13241300x80000000000000002444396Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.659{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.EXCEL.EXE.15QWORD (0x01d73796-0x934c457b)
12241200x80000000000000002444395Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.659{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps
12241200x80000000000000002444394Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.659{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData
10341000x80000000000000002444393Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.659{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c
10341000x80000000000000002444392Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.659{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c
10341000x80000000000000002444391Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.659{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f
10341000x80000000000000002444390Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.659{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06
23542300x80000000000000002444389Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.659{21761711-A791-6081-7E84-00000000BB01}2744WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF102c83fc.TMPMD5=97C6F6C6415FD0AE91EB14429A4620D9,SHA256=95BBB488C9E1F54C1D20D018FCF1C63AD7A66F1D76F12BC19CAFF19584D94905falsefalse - insufficient disk space
11241100x80000000000000002444388Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.643{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF102c83fc.TMP2021-04-22 16:43:08.643
254200x80000000000000002444387Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.643{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VUMZHWBLKOR5E3R1IQ1Q.temp2021-04-20 20:31:10.9152021-04-22 16:43:08.643
11241100x80000000000000002444386Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.643{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VUMZHWBLKOR5E3R1IQ1Q.temp2021-04-22 16:43:08.643
13241300x80000000000000002444385Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.627{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xls\OpenWithProgids\Excel.Sheet.8Binary Data
13241300x80000000000000002444384Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.627{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data
13241300x80000000000000002444383Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.612{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data
13241300x80000000000000002444382Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data
12241200x80000000000000002444381Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.596{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess
13241300x80000000000000002444380Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.596{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\PointsBinary Data
13241300x80000000000000002444379Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.596{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\LastAccessedTimeQWORD (0x00000000-0x00000000)
13241300x80000000000000002444378Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.596{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems\{1943AD08-7273-4F9D-BC8E-A627F7974973}\TypeDWORD (0x00000000)
12241200x80000000000000002444377Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.596{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{11E2F786-E706-41EC-B221-0E21A9B22419}\RecentItems
12241200x80000000000000002444376Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.596{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps
13241300x80000000000000002444375Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.596{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\Microsoft.Office.EXCEL.EXE.15QWORD (0x01d73796-0x9342bc00)
12241200x80000000000000002444374Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:08.596{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData
10341000x80000000000000002444373Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c
10341000x80000000000000002444372Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c
10341000x80000000000000002444371Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f
10341000x80000000000000002444370Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}27445176C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06
23542300x80000000000000002444369Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}2744WIN-HOST-5\AdministratorC:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF102c83cd.TMPMD5=1B6C4DAB92A1103036DBB83944490502,SHA256=261387FAB44A3AD1034D3AE78E86670F6973884E193B005365376202621E2A94falsefalse - insufficient disk space
11241100x80000000000000002444368Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF102c83cd.TMP2021-04-22 16:43:08.596
734700x80000000000000002444367Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid
254200x80000000000000002444366Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.596{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\COV53OS86SBMQBH8RXJ0.temp2021-04-20 20:31:10.9152021-04-22 16:43:08.580
11241100x80000000000000002444365Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.580{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\COV53OS86SBMQBH8RXJ0.temp2021-04-22 16:43:08.580
13241300x80000000000000002444364Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.580{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xls\OpenWithProgids\Excel.Sheet.8Binary Data
13241300x80000000000000002444363Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.558{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data
13241300x80000000000000002444362Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:08.543{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsm\OpenWithProgids\Excel.SheetMacroEnabled.12Binary Data
734700x80000000000000002444361Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.543{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValid
10341000x80000000000000001527697Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.584{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527696Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.584{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527695Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.542{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=97A6F4A4475A2DA6F728631E5F3FB8B9,SHA256=A2CE586BF4ED2629C5F22B14F9949F23FD6D2FE04E392F90CAC913E96A774B93,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527694Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.536{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=FA0C76F30F4ED963BA059B170EAC19C3,SHA256=9EB8FAE3BB246F4C8DA9AA6B59EF048D42226B1BCD819D2F585B797D2A604E27,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527693Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.535{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=C92F64B2A394E6251DA70B2795F9E83E,SHA256=84B2C87243255A5A5FFFD74BBE12A01F1E31EB0739E52CBF828F8F50CB71539E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527692Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.535{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=D554B9228F49B8C0CFE7340CD29CC50B,SHA256=B25EC46DFA2F231C792651EADFE59278FBC354C96866173491ADD7971AE73FBF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527691Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.535{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=C68BBE592F2AD1D8241EB71153155CD7,SHA256=7C9B37D95D158912BFDA5245A5F2F5EE849DC5FC706B2651E69DF35F900374B2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527690Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.533{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=C4A676C01BFA971F03B1746047587CEC,SHA256=3B3B09FC8B7EE90DB0CA505A724046A0B7E5908931EDFF049FA00EBFF3408475,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527689Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.533{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=193A2115207353530EA62B086AB04AE7,SHA256=A1ABC8374A7C4F55E2A5453BFE56A5075556A0450563926E8BDAEB62E47164FD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527688Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.532{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=B67AAB7AA3AF3C5E626EC0C904397D91,SHA256=0A36A299029BEB2433559DFE4000AF249E4930003C607C61E3F124F1561D5793,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527687Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.531{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=3EC11392D120EFF88EA429D945305A23,SHA256=00A881F20202579C53597EF52C315AEF2A75B23DEAD91B21FAD0F2292CEA969A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527686Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.528{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=BFF7DF7E350A49234104FC5231FDB381,SHA256=71EC5B3701739EE7B118F82E5777807D98A1EBADD653F7C8F8E04426A5938D32,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527685Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.527{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527684Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.526{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527683Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.526{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=AFB48455939DC499E5921A2674A2A6DD,SHA256=81DC1D6ED8134688188D28C955E7B2136E5B151F3C6A15A32F5F7E24C8B04AC0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527682Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.525{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=C663931DB30D921F891EE6189BFD7BC3,SHA256=16CDC66E18BB343CF325528ACB23262B3AC75AD83CD3EBA693BF522E70B1C85A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527681Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.524{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=34C998C43AEB6D57B61C620551D62F78,SHA256=8987703121C8953F330B1BFAB0EA6B4E8A4CBEF42C728C2949AB97F75BBB0080,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527680Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.509{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A496C20BE662EA959E1CDD75D0E0E2C,SHA256=4AEBA6C2DB0FD27739249890C88CDD215FE212FF48C9B5BFF5DDEDD3AD583153,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527679Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.467{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=72DDE7B3400E383F29F05C4F10195FCB,SHA256=218F4C30AB2D0190F1D3177160B006EA18E816BF5A6D075757BAB12A2C1A0EB3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527678Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.467{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=6178E970E152D2F67913D59980455571,SHA256=E70C5AA0215B2C96655C9327C71211118F9123E59DBBB57178213F207904567A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527677Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.465{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=5232BB7174DD038D5C75A78738E012ED,SHA256=2B1F6F950BE5B52FAA90ED5F217C9B2BDA70016A79F1F9C1EFC89ADC9B9F955D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527676Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.465{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527675Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.464{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=74340326CDB97A696E8E3A4B9CEA6BC0,SHA256=6DFF35E885CCF75F9D753991316ECC857A4B750245AFD0335D9D100C27B0234B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527674Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.463{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=CA891458BF6FDC8DFCDEF9AC1E52C6B0,SHA256=5310BD754204761906DC9414919C3014BA333D40B0E19B782A5202496BD0B3DF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527673Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.458{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=EE73B8A7F569D124BF2C96E771FF3EBA,SHA256=65CA29D92983D14CB7551DD004C1CA8674CE233A19E7415FD5CABBD5E92BB3AD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527672Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.457{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527671Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.445{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=2902D4FAA8B0A0459D1D6B8B6FEBD9BD,SHA256=F5EDD0240F6995AA18D19480553CFC1DFEEF2DD42CC81CB4163330B8F6F4375E,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527670Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.444{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527669Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.443{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527668Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.443{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527667Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.442{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527666Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.441{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527665Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.441{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527664Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.440{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=1028766506A3BA76D4B5073B51607632,SHA256=FB20EF2AFE0BA5F6052B9099208148BE587F2A8FBDA99BF0CA8D4D3EE731B011,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527663Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.439{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=0B4FE3EAA77CC526D0096D637E741137,SHA256=8E264BC81686885DC6F1B8A9C85CEAE9FEC1C836E971FB483952240619CA9503,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527662Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.438{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527661Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.437{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527660Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.436{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527659Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.436{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527658Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.434{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=406E2A001E0ED3AAEE2B64DA6C9F53F2,SHA256=3204CF21A190AFC5DB2708B31E23D17A3F5948B83E3F938CBC35ECBB9502065F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527657Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.434{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=73DC8D3F53B50FB0F1F8632C9530FD92,SHA256=833AC94BC689B785FB52EC5D18E139325EFDFF464D005116AF932573580FB379,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527656Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.433{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=8FB7ED28969FCFF0F265748B21D63FB4,SHA256=7693D31323F34A333876CA25EEF7FEFE5D0287EC905B3DE6D9C96DCE35E546B3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527655Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.432{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=D7C59E2F837B8AEEA2F739F53618E447,SHA256=2C1AD66C99A7BD1A29662EF88424B68483C5A3EEB994B7D66863002B2B698CF4,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527654Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.431{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=AC4E6267234C56AFD48EE9D2558B7781,SHA256=D3DC032A02717D6BC89667548C9CA780002F650DC925E88A119F887795CDC4FF,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527653Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.430{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=26DD17C3AF92B5FD0624EF397C943D73,SHA256=CDBD69DD85A086163CD3C29F5C0A1EE64DE2FC9C4C60AEF9DF93F24EA552E40D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527652Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.430{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527651Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.429{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527650Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.428{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=F3A26F8FE090585B0A7020257F93873A,SHA256=C8E29B88BFBC7BF83D7E2EC53C75CFA838876DA6CE30D5671EE8A89D30CE057D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527649Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.427{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=DB4E29051A6D4659A261EEADF4210808,SHA256=C331723689C2119D017566CA4748BE354BF1A25BFC1969316C06F00CE95A089F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527648Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.416{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=EE73B8A7F569D124BF2C96E771FF3EBA,SHA256=65CA29D92983D14CB7551DD004C1CA8674CE233A19E7415FD5CABBD5E92BB3AD,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527647Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.408{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527646Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.339{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=C663931DB30D921F891EE6189BFD7BC3,SHA256=16CDC66E18BB343CF325528ACB23262B3AC75AD83CD3EBA693BF522E70B1C85A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527645Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.335{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527644Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.319{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=5232BB7174DD038D5C75A78738E012ED,SHA256=2B1F6F950BE5B52FAA90ED5F217C9B2BDA70016A79F1F9C1EFC89ADC9B9F955D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527643Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.315{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527642Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.304{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=72DDE7B3400E383F29F05C4F10195FCB,SHA256=218F4C30AB2D0190F1D3177160B006EA18E816BF5A6D075757BAB12A2C1A0EB3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527641Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:08.261{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\wcognp7t.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000001527640Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.135{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal54914-
354300x80000000000000001527639Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:01.662{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1053-false10.0.1.12-8000-
22542200x80000000000000002444411Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.397{21761711-A791-6081-7E84-00000000BB01}2744self.events.data.microsoft.com0type: 5 self-events-data.trafficmanager.net;type: 5 skypedataprdcoluks00.cloudapp.net;::ffff:51.140.157.153;C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
22542200x80000000000000002444410Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:07.335{21761711-A791-6081-7E84-00000000BB01}2744cdn.uci.officeapps.live.com0type: 5 cdn.uci.officeapps.live.com.edgekey.net;type: 5 e1324.d.akamaiedge.net;::ffff:23.54.49.175;C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
11241100x80000000000000002444409Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:09.846{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444408Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:09.846{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CD52CDAAE0A91D575C82E9A8741D78,SHA256=8A31F48A8DD68CC9D1309DFE0F482F1F662D71A6202902BA8D0B35BAD55F3F09falsefalse - insufficient disk space
23542300x80000000000000001527705Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:09.888{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7D200A3625B13721457185C3013CD1,SHA256=F80E8EFC8432A30145A21322828160B95FFA193387DFA26555179DE121AE7F46,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444407Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:09.579{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444406Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:09.579{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C77D50A8A31A072AF78C463FC81B874D,SHA256=88896B783DCB86C15B4C13F432486ABFA2A5C0BF920951234C60D4751198A590falsefalse - insufficient disk space
11241100x80000000000000002444405Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:09.013{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444404Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:09.013{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB7DEB4308AF2EBF6142D21117824C4,SHA256=5384FDD5B77A2031034441A0A450D7CC84D380FA62C7AE24CDBA46F0328538AFfalsefalse - insufficient disk space
10341000x80000000000000001527704Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:09.585{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527703Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:09.585{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527702Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:09.553{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62D0BE9C195C826941F69CB9CBA5EE1E,SHA256=3738DBA21BE86277191BCE55561D85018F89E2E0A0E9B53E7273A1DB2BE959D9,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000001527701Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:03.055{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal61100-
354300x80000000000000001527700Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:02.881{761B69BB-A4A5-607D-9A08-00000000BA01}6816C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1054-false142.251.33.106sea30s10-in-f10.1e100.net443https
23542300x80000000000000001527699Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:09.045{761B69BB-A4A5-607D-9A08-00000000BA01}6816ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\wcognp7t.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444414Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:10.848{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444413Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:10.848{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F09AAC6579F7E0AB7810CE5D5FBCC7,SHA256=1F53E1822C622D05ED00CB39240C210C46E400D2D994703720EE5D883F083F21falsefalse - insufficient disk space
23542300x80000000000000001527709Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:10.893{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E128398BA113F888BA094EBD8CA68E,SHA256=C5E9C68BFAD397414A2DDA6189CBC0D0A7A1C7BE41850566A56043C9A8A90469,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000002444412Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:08.185{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXEWIN-HOST-5\Administratortcptruefalse10.0.1.15win-host-5.attackrange.local49267-false51.140.157.153-443https
10341000x80000000000000001527708Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:10.585{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527707Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:10.585{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x80000000000000001527706Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:04.142{761B69BB-819C-607D-2800-00000000BA01}2912C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-982.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52401-
11241100x80000000000000002444419Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:11.884{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444418Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:11.884{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5415428358E77058F5A82B03576D4FB8,SHA256=43257BE943F10B2BFBEB313C8A0AC8212604180930F1CC5BE3DA42CE9C11897Afalsefalse - insufficient disk space
23542300x80000000000000001527712Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:11.897{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F0A2761FFDD4E1BD22023BC15A21D6,SHA256=C4EC93D94DA22C7CE46D82E7BC54DF044C5B9B029262A19543732E2623ED060E,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000002444417Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:09.658{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49268-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
11241100x80000000000000002444416Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:11.187{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444415Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:11.187{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF027D7DBFAB13D37B0CF7AEF710DBBF,SHA256=FF89DB162DB496D064B6AF3361354DBEAEB949A9051E54858B2D394D04E25F8Afalsefalse - insufficient disk space
10341000x80000000000000001527711Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:11.586{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527710Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:11.586{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002444421Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:12.888{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444420Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:12.887{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9093A2E4337DE2775D685EABB4464128,SHA256=36DE7C531068083032086C4920B20064107D1CA41B60DB8B57D4398808A902B4falsefalse - insufficient disk space
23542300x80000000000000001527716Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:12.904{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A1E35C3869D889604979E6B3389894,SHA256=02C6E6F1ABC5E39555F869AF7D7717AED6524B328B271AB4BD271121C0D8D105,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527715Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:12.587{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527714Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:12.587{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527713Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:12.205{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38933F24A8E07AACD480B7D9E4C0211F,SHA256=7F8E39E0CEFB39BE49F41E9A7503A2287C095B508978201A42DA840F46870B3A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527719Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:13.909{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4C3D325F9BE11BE87172F54F7BB839,SHA256=7314C5CCFC8A6F585DBDCAC7C14113B94610555021AE3614F2ADCC2DFAE1D82E,IMPHASH=00000000000000000000000000000000falsetrue
12241200x80000000000000002444521Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002444520Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002444519Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002444518Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444517Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444516Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
734700x80000000000000002444515Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid
12241200x80000000000000002444514Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444513Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444512Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444511Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444510Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444509Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444508Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444507Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444506Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444505Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444504Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444503Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444502Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444501Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444500Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444499Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444498Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.993{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444497Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
12241200x80000000000000002444496Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
12241200x80000000000000002444495Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
12241200x80000000000000002444494Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
12241200x80000000000000002444493Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
734700x80000000000000002444492Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid
12241200x80000000000000002444491Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
12241200x80000000000000002444490Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444489Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444488Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444487Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444486Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444485Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444484Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444483Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444482Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444481Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444480Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444479Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444478Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444477Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs
12241200x80000000000000002444476Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs
12241200x80000000000000002444475Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates
12241200x80000000000000002444474Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
12241200x80000000000000002444473Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.990{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
734700x80000000000000002444472Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.988{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid
734700x80000000000000002444471Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.987{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid
734700x80000000000000002444470Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid
18141800x80000000000000002444469Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
734700x80000000000000002444468Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid
18141800x80000000000000002444467Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
734700x80000000000000002444466Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid
734700x80000000000000002444465Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid
734700x80000000000000002444464Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid
12241200x80000000000000002444463Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:13.971{21761711-83AE-607D-1D00-00000000BB01}1960C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
734700x80000000000000002444462Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid
734700x80000000000000002444461Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid
734700x80000000000000002444460Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid
734700x80000000000000002444459Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid
734700x80000000000000002444458Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid
734700x80000000000000002444457Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid
734700x80000000000000002444456Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid
734700x80000000000000002444455Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid
734700x80000000000000002444454Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid
734700x80000000000000002444453Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid
734700x80000000000000002444452Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid
734700x80000000000000002444451Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid
734700x80000000000000002444450Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid
734700x80000000000000002444449Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid
734700x80000000000000002444448Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid
734700x80000000000000002444447Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid
734700x80000000000000002444446Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid
734700x80000000000000002444445Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid
734700x80000000000000002444444Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid
734700x80000000000000002444443Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid
734700x80000000000000002444442Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid
734700x80000000000000002444441Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
734700x80000000000000002444440Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid
734700x80000000000000002444439Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid
734700x80000000000000002444438Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid
734700x80000000000000002444437Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid
734700x80000000000000002444436Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid
10341000x80000000000000002444435Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444434Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid
734700x80000000000000002444433Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid
734700x80000000000000002444432Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid
734700x80000000000000002444431Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid
10341000x80000000000000002444430Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000002444429Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.971{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000002444428Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:13.956{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
18141800x80000000000000002444427Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:13.956{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444426Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:13.956{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
18141800x80000000000000002444425Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:13.956{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444424Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:13.956{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
18141800x80000000000000002444423Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:13.956{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444422Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:13.956{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
10341000x80000000000000001527718Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:13.588{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527717Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:13.588{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527723Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:14.922{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60234112361BCF2657DCB32E2883FE0A,SHA256=7045548FB0F381F1BA26A34AD4EE4DFE923E4177BE95E5B33D933FA50E6FBF6A,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444529Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.958{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444528Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.958{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0EF2058943EBF42CDE8D8FE800DBE2F,SHA256=36395F152021761392F58F3D84F8C912E6F99E795675F75C03BE834C3FB7097Bfalsefalse - insufficient disk space
11241100x80000000000000002444527Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.510{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444526Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.510{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51085C96C066DC57B564D6069096BE04,SHA256=27CBB204C7DF57FDEDCD40F8EA6A57CF32FDF10B966B3297891B6667FF8C1BA8falsefalse - insufficient disk space
534500x80000000000000002444525Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.109{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe
734700x80000000000000002444524Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.109{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid
734700x80000000000000002444523Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.109{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid
734700x80000000000000002444522Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.109{21761711-A7A1-6081-8484-00000000BB01}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid
10341000x80000000000000001527722Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:14.589{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527721Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:14.589{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x80000000000000001527720Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:06.794{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1055-false10.0.1.12-8000-
23542300x80000000000000001527726Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:15.925{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED64B54D9B4C2A8371526C60560859E,SHA256=72A04462776679B119B204FA96C7FD8639171519536FA1062BE79FFCEECC4E3D,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444545Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:15.159{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444544Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:15.159{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB52779F23781ECC920C02C2864A8A2E,SHA256=945C996FBF4EB402F9731F5BD2D01EE0AA051546B91F286AA8B06D743DD303B4falsefalse - insufficient disk space
10341000x80000000000000001527725Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:15.590{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527724Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:15.590{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
13241300x80000000000000002444543Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:15.058{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080438\VirtualDesktopBinary Data
12241200x80000000000000002444542Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:15.058{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080438
534500x80000000000000002444541Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exe
12241200x80000000000000002444540Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000080438
10341000x80000000000000002444539Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
13241300x80000000000000002444538Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000)
12241200x80000000000000002444537Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation
10341000x80000000000000002444536Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444535Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444534Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-A79A-6081-8384-00000000BB01}7804C:\Windows\System32\rundll32.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid
10341000x80000000000000002444533Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444532Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444531Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444530Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:14.996{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\SYSTEM32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527729Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:16.935{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790A4D78F975D96EF6B9744FB1D02FE4,SHA256=301DD7211ECE9004764D825B0194A196114E3C24E32208F29C16135D0F10A020,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444559Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.161{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444558Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.161{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F58D664421A569F9334971B0FFF3361,SHA256=6C78F42C786B08935F0177C7E5EEE4442453B1B1B70DC0C234F2689ED1CB5852falsefalse - insufficient disk space
10341000x80000000000000001527728Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:16.591{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527727Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:16.591{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
13241300x80000000000000002444557Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:16.114{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C05F4\VirtualDesktopBinary Data
12241200x80000000000000002444556Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:16.114{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C05F4
13241300x80000000000000002444555Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:16.045{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000)
12241200x80000000000000002444554Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:16.045{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation
10341000x80000000000000002444553Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.045{21761711-84C9-607D-F200-00000000BB01}37843208C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
534500x80000000000000002444552Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.045{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exe
12241200x80000000000000002444551Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-DeleteKey2021-04-22 16:43:16.045{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001C05F4
734700x80000000000000002444550Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.045{21761711-A79A-6081-8284-00000000BB01}5112C:\Windows\System32\rundll32.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid
10341000x80000000000000002444549Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.045{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444548Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.045{21761711-84C9-607D-F200-00000000BB01}37844996C:\Windows\Explorer.EXE{21761711-A791-6081-7E84-00000000BB01}2744C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002444547Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.014{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444546Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:16.014{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6C54519B259DAA51FD3527880800112,SHA256=322C43433B33E7451D39EC66F428D86902978B3E7DE1E9E65FA8DF301A2CB30Bfalsefalse - insufficient disk space
23542300x80000000000000001527732Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:17.941{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDFE321DB9EDD1FFC3AE746A368A925,SHA256=5788576200C877E01BAD3A465C01D07B57E1EB3BDB0B81FCEE8CB50A3ED8029E,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000002444680Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:15.691{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49269-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
534500x80000000000000002444679Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.881{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
734700x80000000000000002444678Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.881{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid
734700x80000000000000002444677Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.881{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid
734700x80000000000000002444676Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.881{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid
734700x80000000000000002444675Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.765{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid
734700x80000000000000002444674Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.765{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid
734700x80000000000000002444673Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.765{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid
18141800x80000000000000002444672Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.765{21761711-A7A5-6081-8684-00000000BB01}7360\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
734700x80000000000000002444671Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid
18141800x80000000000000002444670Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe
734700x80000000000000002444669Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid
734700x80000000000000002444668Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid
734700x80000000000000002444667Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid
734700x80000000000000002444666Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid
734700x80000000000000002444665Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid
734700x80000000000000002444664Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid
734700x80000000000000002444663Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid
734700x80000000000000002444662Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid
734700x80000000000000002444661Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid
734700x80000000000000002444660Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid
734700x80000000000000002444659Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid
734700x80000000000000002444658Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid
734700x80000000000000002444657Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid
734700x80000000000000002444656Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid
734700x80000000000000002444655Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid
734700x80000000000000002444654Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid
734700x80000000000000002444653Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid
734700x80000000000000002444652Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid
734700x80000000000000002444651Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid
734700x80000000000000002444650Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid
734700x80000000000000002444649Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid
734700x80000000000000002444648Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
734700x80000000000000002444647Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid
734700x80000000000000002444646Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid
734700x80000000000000002444645Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid
734700x80000000000000002444644Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid
734700x80000000000000002444643Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid
734700x80000000000000002444642Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid
734700x80000000000000002444641Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid
734700x80000000000000002444640Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid
734700x80000000000000002444639Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid
734700x80000000000000002444638Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid
734700x80000000000000002444637Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid
734700x80000000000000002444636Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid
734700x80000000000000002444635Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid
734700x80000000000000002444634Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid
10341000x80000000000000002444633Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444632Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid
734700x80000000000000002444631Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid
734700x80000000000000002444630Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid
734700x80000000000000002444629Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid
10341000x80000000000000002444628Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000002444627Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.749{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000002444626Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.734{21761711-A7A5-6081-8684-00000000BB01}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
18141800x80000000000000002444625Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.734{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444624Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:17.734{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
18141800x80000000000000002444623Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.734{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444622Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:17.734{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
18141800x80000000000000002444621Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.734{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444620Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:17.734{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
11241100x80000000000000002444619Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.397{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444618Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.397{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65722BCAB2B80EF07AB886F25C03F545,SHA256=33C15019220AE0CA7AF512E6908260E1778896CE705D50E2B35B99EF8294287Bfalsefalse - insufficient disk space
10341000x80000000000000001527731Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:17.592{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527730Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:17.592{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
534500x80000000000000002444617Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.201{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
10341000x80000000000000002444616Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.201{21761711-A7A5-6081-8584-00000000BB01}1236220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444615Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.201{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid
734700x80000000000000002444614Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.201{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid
734700x80000000000000002444613Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.079{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid
734700x80000000000000002444612Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.079{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid
734700x80000000000000002444611Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.079{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid
18141800x80000000000000002444610Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.079{21761711-A7A5-6081-8584-00000000BB01}1236\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
734700x80000000000000002444609Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.079{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid
18141800x80000000000000002444608Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
734700x80000000000000002444607Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid
734700x80000000000000002444606Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid
734700x80000000000000002444605Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid
734700x80000000000000002444604Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid
734700x80000000000000002444603Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid
734700x80000000000000002444602Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid
734700x80000000000000002444601Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid
734700x80000000000000002444600Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid
734700x80000000000000002444599Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid
734700x80000000000000002444598Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid
734700x80000000000000002444597Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid
734700x80000000000000002444596Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid
734700x80000000000000002444595Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid
734700x80000000000000002444594Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid
734700x80000000000000002444593Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid
734700x80000000000000002444592Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid
734700x80000000000000002444591Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid
734700x80000000000000002444590Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid
734700x80000000000000002444589Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid
734700x80000000000000002444588Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid
734700x80000000000000002444587Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid
734700x80000000000000002444586Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid
734700x80000000000000002444585Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid
734700x80000000000000002444584Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid
734700x80000000000000002444583Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid
734700x80000000000000002444582Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
734700x80000000000000002444581Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid
734700x80000000000000002444580Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid
734700x80000000000000002444579Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid
734700x80000000000000002444578Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid
734700x80000000000000002444577Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid
734700x80000000000000002444576Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid
10341000x80000000000000002444575Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444574Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid
734700x80000000000000002444573Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid
734700x80000000000000002444572Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid
734700x80000000000000002444571Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid
10341000x80000000000000002444570Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000002444569Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.063{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000002444568Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.048{21761711-A7A5-6081-8584-00000000BB01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
11241100x80000000000000002444567Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.048{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444566Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:17.048{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=180B0DB58DD2FBAD3BB53D5E25955103,SHA256=AA25E205053A9B394F11123263878A03F11695020C8DEFCB42479CFD7B7ABDB3falsefalse - insufficient disk space
18141800x80000000000000002444565Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.048{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444564Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:17.048{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
18141800x80000000000000002444563Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.048{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444562Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:17.048{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
18141800x80000000000000002444561Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:17.048{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444560Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:17.048{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
23542300x80000000000000001527737Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:18.949{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3DBC3D20C399C349C66E4611D60302,SHA256=2768FC15C64E7ED637CE472C9D9C9920C14747C7935350EDA821329B1C8098E2,IMPHASH=00000000000000000000000000000000falsetrue
534500x80000000000000002444740Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.567{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
734700x80000000000000002444739Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.567{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid
10341000x80000000000000002444738Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.567{21761711-A7A6-6081-8784-00000000BB01}45283924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444737Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.567{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid
734700x80000000000000002444736Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.567{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid
11241100x80000000000000002444735Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.500{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444734Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.500{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C879CCDC34F990C64B9026526C986A,SHA256=28295857FA337039FBB78F876E6191F9365E441932497EB9B73130BE5BEF8B2Cfalsefalse - insufficient disk space
734700x80000000000000002444733Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid
734700x80000000000000002444732Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid
734700x80000000000000002444731Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid
18141800x80000000000000002444730Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
734700x80000000000000002444729Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid
18141800x80000000000000002444728Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
734700x80000000000000002444727Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid
734700x80000000000000002444726Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid
734700x80000000000000002444725Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid
734700x80000000000000002444724Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid
734700x80000000000000002444723Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid
734700x80000000000000002444722Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid
734700x80000000000000002444721Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid
734700x80000000000000002444720Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid
734700x80000000000000002444719Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid
734700x80000000000000002444718Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid
734700x80000000000000002444717Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid
734700x80000000000000002444716Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid
734700x80000000000000002444715Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid
734700x80000000000000002444714Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid
734700x80000000000000002444713Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid
734700x80000000000000002444712Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid
734700x80000000000000002444711Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid
734700x80000000000000002444710Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid
734700x80000000000000002444709Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid
734700x80000000000000002444708Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid
734700x80000000000000002444707Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid
734700x80000000000000002444706Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid
734700x80000000000000002444705Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid
734700x80000000000000002444704Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid
734700x80000000000000002444703Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid
734700x80000000000000002444702Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
734700x80000000000000002444701Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid
734700x80000000000000002444700Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid
734700x80000000000000002444699Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid
734700x80000000000000002444698Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid
734700x80000000000000002444697Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid
10341000x80000000000000002444696Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444695Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid
734700x80000000000000002444694Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid
734700x80000000000000002444693Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid
734700x80000000000000002444692Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid
10341000x80000000000000002444691Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000002444690Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.436{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000002444689Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.421{21761711-A7A6-6081-8784-00000000BB01}4528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
18141800x80000000000000002444688Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:18.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444687Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:18.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
18141800x80000000000000002444686Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:18.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444685Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:18.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
18141800x80000000000000002444684Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:18.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444683Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:18.420{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
10341000x80000000000000001527736Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:18.592{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527735Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:18.592{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527734Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:18.120{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6F7C450D4B77ACC20C850140538947E,SHA256=7DCA3F9B1D010E4E7C0B937154A665EEDF39D04F25B78BE160E8A3D6C20E8CD0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527733Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:18.119{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F0792CF4D6902D3A5AE23A5D9F3FC76,SHA256=6E8223FBDF9EAD63DB8D75AC51CC17626FC1389E45060072523CC62A6449EFA8,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444682Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.066{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444681Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:18.066{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33C8EAB23AEE1ABFA36A42FFDB7740CC,SHA256=5664531E9212F7EF77B058484FBC36C85F85B004654B049C035AD99208150B4Afalsefalse - insufficient disk space
23542300x80000000000000001527742Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:19.954{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC2DE5BDEA38A6D8647D9E1534C8CB1F,SHA256=573FD300809BFB4723CC914A109D4A88DA09CF97A0E6C1DED9B0D44CCD7B4C92,IMPHASH=00000000000000000000000000000000falsetrue
534500x80000000000000002444861Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.970{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
734700x80000000000000002444860Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.970{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid
734700x80000000000000002444859Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.970{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid
734700x80000000000000002444858Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.970{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid
734700x80000000000000002444857Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.855{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid
734700x80000000000000002444856Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid
734700x80000000000000002444855Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid
18141800x80000000000000002444854Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
734700x80000000000000002444853Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid
18141800x80000000000000002444852Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe
734700x80000000000000002444851Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid
734700x80000000000000002444850Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid
734700x80000000000000002444849Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid
734700x80000000000000002444848Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid
734700x80000000000000002444847Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid
734700x80000000000000002444846Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid
734700x80000000000000002444845Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid
734700x80000000000000002444844Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid
734700x80000000000000002444843Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid
734700x80000000000000002444842Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid
734700x80000000000000002444841Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid
734700x80000000000000002444840Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid
734700x80000000000000002444839Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid
734700x80000000000000002444838Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid
734700x80000000000000002444837Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid
734700x80000000000000002444836Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid
734700x80000000000000002444835Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid
734700x80000000000000002444834Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid
734700x80000000000000002444833Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
734700x80000000000000002444832Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid
734700x80000000000000002444831Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid
734700x80000000000000002444830Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid
734700x80000000000000002444829Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid
734700x80000000000000002444828Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid
734700x80000000000000002444827Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid
734700x80000000000000002444826Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid
734700x80000000000000002444825Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid
734700x80000000000000002444824Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid
734700x80000000000000002444823Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid
734700x80000000000000002444822Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid
734700x80000000000000002444821Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid
734700x80000000000000002444820Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid
10341000x80000000000000002444819Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444818Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid
734700x80000000000000002444817Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid
734700x80000000000000002444816Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid
734700x80000000000000002444815Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid
10341000x80000000000000002444814Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.839{21761711-83AC-607D-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000002444813Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.823{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000002444812Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.824{21761711-A7A7-6081-8984-00000000BB01}7624C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
18141800x80000000000000002444811Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.823{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444810Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:19.823{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
18141800x80000000000000002444809Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.823{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444808Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:19.823{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
18141800x80000000000000002444807Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.823{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444806Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:19.823{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
11241100x80000000000000002444805Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.623{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444804Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.623{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E51C2A09BF2735D2086623CA97A96BD,SHA256=3E2192A686340D46D0B3DAF6447C63BA73713DAAC2D753F47B7212449CA60EB9falsefalse - insufficient disk space
11241100x80000000000000002444803Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.604{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444802Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.603{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C6C05C572D505179760E97484D0595,SHA256=6E5AA3614CB6A4CEB659B0449643A434362073210E4893B7785D1B6CBD48EDD3falsefalse - insufficient disk space
11241100x80000000000000002444801Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.601{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444800Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.601{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63C5652391153816EE4FA0EB813E523F,SHA256=CC8814F6441A8810E754F193DA3BC6562F816ED422DBD744937A5630ECB2F7CBfalsefalse - insufficient disk space
23542300x80000000000000001527741Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:19.912{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6F7C450D4B77ACC20C850140538947E,SHA256=7DCA3F9B1D010E4E7C0B937154A665EEDF39D04F25B78BE160E8A3D6C20E8CD0,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527740Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:19.593{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527739Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:19.593{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x80000000000000001527738Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:12.692{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1056-false10.0.1.12-8000-
534500x80000000000000002444799Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.269{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
734700x80000000000000002444798Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.269{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid
10341000x80000000000000002444797Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.269{21761711-A7A7-6081-8884-00000000BB01}7040776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444796Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.269{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid
734700x80000000000000002444795Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.269{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid
734700x80000000000000002444794Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.153{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid
734700x80000000000000002444793Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.153{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid
734700x80000000000000002444792Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid
18141800x80000000000000002444791Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
734700x80000000000000002444790Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid
18141800x80000000000000002444789Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe
734700x80000000000000002444788Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid
734700x80000000000000002444787Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid
734700x80000000000000002444786Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid
734700x80000000000000002444785Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid
734700x80000000000000002444784Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid
734700x80000000000000002444783Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid
734700x80000000000000002444782Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid
734700x80000000000000002444781Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid
734700x80000000000000002444780Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid
734700x80000000000000002444779Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid
734700x80000000000000002444778Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid
734700x80000000000000002444777Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid
734700x80000000000000002444776Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid
734700x80000000000000002444775Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid
734700x80000000000000002444774Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid
734700x80000000000000002444773Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid
734700x80000000000000002444772Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid
734700x80000000000000002444771Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid
734700x80000000000000002444770Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid
734700x80000000000000002444769Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid
734700x80000000000000002444768Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid
734700x80000000000000002444767Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid
734700x80000000000000002444766Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid
734700x80000000000000002444765Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid
734700x80000000000000002444764Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid
734700x80000000000000002444763Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid
734700x80000000000000002444762Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
734700x80000000000000002444761Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid
734700x80000000000000002444760Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid
734700x80000000000000002444759Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid
734700x80000000000000002444758Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid
734700x80000000000000002444757Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid
10341000x80000000000000002444756Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444755Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid
734700x80000000000000002444754Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid
734700x80000000000000002444753Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid
734700x80000000000000002444752Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid
10341000x80000000000000002444751Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-83AC-607D-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000002444750Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.137{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000002444749Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:19.122{21761711-A7A7-6081-8884-00000000BB01}7040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
18141800x80000000000000002444748Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444747Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:19.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
18141800x80000000000000002444746Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444745Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:19.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
18141800x80000000000000002444744Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:19.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444743Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:19.122{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
13241300x80000000000000002444742Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:19.053{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data
13241300x80000000000000002444741Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:19.053{21761711-84C9-607D-F200-00000000BB01}3784C:\Windows\Explorer.EXEHKU\S-1-5-21-3386589612-1946705271-3951022823-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Bssvpr.RKPRY.RKR.15Binary Data
23542300x80000000000000001527745Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:20.958{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3577BCFC9AF90BC7CBC073E31B383B0,SHA256=1D9A2FFE10DE3718483E46532996B0957667FC9845BF198E01B68F03DE433D43,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444923Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.841{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444922Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.841{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69BEBDE4AC75B9AA0BAFAAC6B44879B2,SHA256=6476FF7FAD8D4A5AF5304C01A8303736424F2B396088BB92038F01129C00305Ffalsefalse - insufficient disk space
11241100x80000000000000002444921Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.826{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444920Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.826{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37690FE909902B012E088402F430789E,SHA256=23C4AF597549CB601AEE87AF428923A315D0696EE171333307D3468232AAC574falsefalse - insufficient disk space
11241100x80000000000000002444919Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.806{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444918Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.806{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7AC057697C948430E9BDD92FA1A9E5,SHA256=D2614B83A0D7CBD2F7521E4A92455A8D27B1A37D8F64DE25FB3FA3FE7227CCE6falsefalse - insufficient disk space
534500x80000000000000002444917Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.657{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
734700x80000000000000002444916Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.657{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid
10341000x80000000000000002444915Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.657{21761711-A7A8-6081-8A84-00000000BB01}64325004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444914Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.657{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid
734700x80000000000000002444913Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.657{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid
10341000x80000000000000001527744Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:20.594{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527743Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:20.594{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444912Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.541{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid
734700x80000000000000002444911Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.2969 (rs1_release.190503-1820)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=B6E99FD898E948657373BB02708C7C00,SHA256=90476029BD7AB0FEC53AAE567AE53BC0B09C7C5C8C7B8F19485BA872B74ED591trueMicrosoft WindowsValid
734700x80000000000000002444910Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid
18141800x80000000000000002444909Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
734700x80000000000000002444908Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid
18141800x80000000000000002444907Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
734700x80000000000000002444906Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=51F4F9025E6D236F5BF2C24C09E42C8E,SHA256=AE196933C3E292680C83B09F24CE9E6D498E34ECDD30ACB8C1544EEB4705F285trueMicrosoft WindowsValid
734700x80000000000000002444905Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid
734700x80000000000000002444904Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid
734700x80000000000000002444903Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid
734700x80000000000000002444902Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid
734700x80000000000000002444901Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid
734700x80000000000000002444900Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4225 (rs1_release.210127-1811)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=BB3CFF02CD7B7C5704A3E8C77DC0C199,SHA256=016E4F1366708D0F7AD7017CDFCACBDC770C972B63E579EE9A20A98CD3301931trueMicrosoft WindowsValid
734700x80000000000000002444899Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4046 (rs1_release.201028-1803)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=E92A3F429653A81E4C53A0B474A817A5,SHA256=4ECAFDB8F0F20BFFC1A5516882FD59C961DEACC2B01F669ABF1D1895F6F90A55trueMicrosoft WindowsValid
734700x80000000000000002444898Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=88632FDECDE467B887C3594BE2EC545C,SHA256=FFED4D80961917C785063411ED15CED1DB6588AD925E76D72E1BF684FFDBF25DtrueMicrosoft WindowsValid
734700x80000000000000002444897Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid
734700x80000000000000002444896Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4350 (rs1_release.210407-2154)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F9FE858A976B6D38FD5CEA46019B246A,SHA256=37F7417D0AA2A15121A14CF176F0C4A1B6BB01E290324CCA0DDB001F47E8C458trueMicrosoft WindowsValid
734700x80000000000000002444895Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid
734700x80000000000000002444894Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid
734700x80000000000000002444893Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid
734700x80000000000000002444892Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid
734700x80000000000000002444891Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid
734700x80000000000000002444890Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid
734700x80000000000000002444889Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid
734700x80000000000000002444888Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid
734700x80000000000000002444887Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4350 (rs1_release.210407-2154)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=BC930981DA6E598A6A2E87D8355CB38A,SHA256=34DB9A305C0574B5C1694A499221B520DFB2BFD894D8E95096ABF09F1182D758trueMicrosoft WindowsValid
734700x80000000000000002444886Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid
734700x80000000000000002444885Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid
734700x80000000000000002444884Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid
734700x80000000000000002444883Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid
734700x80000000000000002444882Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid
734700x80000000000000002444881Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid
734700x80000000000000002444880Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid
734700x80000000000000002444879Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid
734700x80000000000000002444878Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid
734700x80000000000000002444877Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid
734700x80000000000000002444876Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.2969 (rs1_release.190503-1820)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=F5442C4B9A99C3AED71BED79AC46DAD1,SHA256=05F47403F3BD93FB11F39A5CB4D6E4DD08B35FF4FA3D4969D8E5396D38FB484BtrueMicrosoft WindowsValid
10341000x80000000000000002444875Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-842B-607D-9B00-00000000BB01}31683556C:\Windows\system32\conhost.exe{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444874Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid
734700x80000000000000002444873Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid
734700x80000000000000002444872Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4350 (rs1_release.210407-2154)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=4C8F6DF16BD8E2739EC0D3439EA7507C,SHA256=79E203951A298D2818A9484A56521FA70DF19B7053F704378375128C7C48E8EEtrueMicrosoft WindowsValid
734700x80000000000000002444871Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid
10341000x80000000000000002444870Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-83AC-607D-0500-00000000BB01}412976C:\Windows\system32\csrss.exe{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000002444869Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.525{21761711-842A-607D-9700-00000000BB01}37163760C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000002444868Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:20.510{21761711-A7A8-6081-8A84-00000000BB01}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{21761711-83AD-607D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
18141800x80000000000000002444867Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:20.509{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444866Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:20.509{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
18141800x80000000000000002444865Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:20.509{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444864Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:20.509{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
18141800x80000000000000002444863Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-ConnectPipe2021-04-22 16:43:20.509{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
17141700x80000000000000002444862Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreatePipe2021-04-22 16:43:20.509{21761711-842A-607D-9700-00000000BB01}3716<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
23542300x80000000000000001527750Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:21.972{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF3946B143C6E9F893BDBE626BC0FEE8,SHA256=449C1AAFB0FA6C66CC525AB269D5E21A10BC402F3359AED1CC9022CAD94253E8,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444925Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:21.891{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444924Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:21.891{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3D48E17F9F2F60CF8EF7BB39A52994,SHA256=95B2CE6FFEC981FB27F9CD81DC5CE47C84CC2415DEA48B60ED33464EF27A780Cfalsefalse - insufficient disk space
10341000x80000000000000001527749Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:21.595{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527748Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:21.595{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527747Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:21.318{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15053BAFB995597864A8D662C904016C,SHA256=BBF1E1DAD5C72B45701ECB60425ABA7F723CC513BD65AA22A18A706CE9D6D4EB,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000001527746Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:14.502{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1057-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https
23542300x80000000000000001527753Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:22.986{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F012B1C275911D8AF5537F6B850EB1E9,SHA256=A2A67C7C9DCF7BF63090B60A4F02D355ABEA43828F2B45CE3F956A2080095B16,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444929Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:22.911{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444928Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:22.911{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55543BDCF890E04404D5E6B5AC5936BB,SHA256=2EE120A147F7DC6BBA8341C57A905D5738209D111834403467D05CD42FE8E6F7falsefalse - insufficient disk space
10341000x80000000000000001527752Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:22.596{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527751Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:22.596{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002444927Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:22.592{21761711-83AE-607D-1100-00000000BB01}968C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-04-19 13:20:46.436
23542300x80000000000000002444926Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:22.592{21761711-83AE-607D-1100-00000000BB01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=59E3761269D3729FFD777F05DA0FD4E7,SHA256=C04BD05E346C651F19A2393C91417CCEF1B1F64ACF96B63771B927C9F5B2E499falsefalse - insufficient disk space
11241100x80000000000000002444933Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:23.933{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444932Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:23.933{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AFF7B3F9299227BD07C27791D5A4C44,SHA256=7D17837FB5816DAE033957FF6D8A308BD4ECD54F53645FE3202204E0FF15F5DDfalsefalse - insufficient disk space
23542300x80000000000000001527757Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:23.991{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF7FAE5A7EBD5EB64215FD445848727,SHA256=C6A38F00562D4DE46CA9384E3E3BC9E883506E9F7593E047ACC06EF8038EB160,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527756Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:23.597{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527755Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:23.597{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527754Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:23.236{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36A83599BF4ADF98460E636D5CCEF70B,SHA256=5D7FB5C0211A49402F2DFA2148EBDA093484503435292F698C043F46DE4F7F40,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444931Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:23.247{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444930Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:23.247{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2FDF40F6DDF16C5D16A1D40845FA989,SHA256=404BAE987AD1AFAA667307C7620CD376D43E902CE45B021E622EC109F6FE1EC9falsefalse - insufficient disk space
23542300x80000000000000001527761Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:24.996{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD661FBB11D67471CF225D6DEB4A3B50,SHA256=78FEB597B625B83C40E5DA246C3184D8C558CF525C531326BF937DB3D8EFE8BD,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527760Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:24.597{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527759Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:24.597{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x80000000000000001527758Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:17.826{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1058-false10.0.1.12-8000-
354300x80000000000000002444936Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:21.706{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49270-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
11241100x80000000000000002444935Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:25.083{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444934Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:25.083{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF75C9DE5EBCA457C065A518E571309,SHA256=99442C8BDCAD11C09C4A6F6F9C2CEA52E9612A57D02D89F4CF006D2207309732falsefalse - insufficient disk space
23542300x80000000000000001527764Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:25.771{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91203D52759D96116B76E82719AA90C5,SHA256=8188A46F28A6B919F36CAB929873288939A3065EE17149BB4D6644C5B2802F51,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527763Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:25.598{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527762Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:25.598{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002444938Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:26.119{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444937Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:26.118{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E974013D8290A47910FBD13D653D5062,SHA256=711B9E3F806B928DD24A7E9714F02A26D575CE1CC70A9B905535D2E6194A255Ffalsefalse - insufficient disk space
10341000x80000000000000001527767Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:26.599{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527766Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:26.599{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527765Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:26.004{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0A767FB99DFE5BEA539AFCE2A83482,SHA256=6034FC3450410F8222FA5E329C3CBB621C1AFFAE978875C8453C974E1FF69296,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000002444941Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:27.272{21761711-83AE-607D-0D00-00000000BB01}7925480C:\Windows\system32\svchost.exe{21761711-83AE-607D-1E00-00000000BB01}1992C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
11241100x80000000000000002444940Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:27.222{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444939Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:27.222{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94966FF6BB640096CD43ED8F5C4D66BB,SHA256=D1C61278070868DE62B7C730EB862CCB18E722148D98D283816D4109529520BFfalsefalse - insufficient disk space
10341000x80000000000000001527770Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:27.600{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527769Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:27.600{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527768Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:27.019{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419E7598A482B67456164CB901A6473A,SHA256=5B73B5CC2777E41298546AA8216D0D5704C001C9E5CD4C3820B5D06232146FEB,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444943Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:28.228{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444942Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:28.228{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6573B66F1AC6FB03D088BE10BF3F02D6,SHA256=64C63E4B1B97DA9383A272A43D7D83C459A0A969E5ADF25CE4F46E2E3721CB22falsefalse - insufficient disk space
10341000x80000000000000001527773Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:28.601{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527772Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:28.601{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527771Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:28.025{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452FC5987FF3F6FA9F3E782A212B75AC,SHA256=111A6A2F0CB3CEE3F3F5BCF32A8A218056DADFE1CC9C4199DD6F86211F82FE98,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444949Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:29.261{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444948Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:29.261{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FEFA4538C74915C63D4077C85BA6E48,SHA256=1D97D2700B9518AC0EA82AF91D1CC437BA209719FCB23975AE9F9FC2930888C6falsefalse - insufficient disk space
10341000x80000000000000001527777Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:29.602{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527776Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:29.602{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527775Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:29.139{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68FBB99B03406B29128490C8381F4E26,SHA256=7981AFE685C0C2C8A2302CBF2D591AC65E86767075BA57AC0AA0FD074A498D40,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527774Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:29.028{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5650F760F17F06ED1D93EC96658E9363,SHA256=F84B15F144192C76F032675AC20E7CEA1A1798CCA40D2F633375F5B0ED817EED,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444947Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:29.061{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444946Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:29.061{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CA8519C74A6BC5050886831336CC55F,SHA256=2CA15354910F1BE38B90E620FE48B93D32EB3A764428C977944920BF5F38C345falsefalse - insufficient disk space
11241100x80000000000000002444945Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:29.061{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444944Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:29.061{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=745A97498D2AEBA3E739E2DF07D78EDF,SHA256=DD11A87F06E0A66D9ADB8DEC1D8139648839DBED0A812191B43F6903EA1C6A48falsefalse - insufficient disk space
354300x80000000000000002444952Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:27.536{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49271-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
11241100x80000000000000002444951Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:30.264{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444950Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:30.264{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6744723E007CE5C92D0ACD63BEB57512,SHA256=9FBB71B258329440939D426287D4975BD496873C8223924645F52F3D074EAD60falsefalse - insufficient disk space
23542300x80000000000000001527782Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:30.728{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCAB4836FF74519B335AB02712294001,SHA256=84008F6E75EB4F9FED6C774728F826DE78C5F51B95F99164CDCC5DDF7E37D743,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527781Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:30.603{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527780Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:30.603{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x80000000000000001527779Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:23.728{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1059-false10.0.1.12-8000-
23542300x80000000000000001527778Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:30.031{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3C13A93264AE5983B887366A7E3846,SHA256=FAAE3AB2EF8FA71B6E5720813CE81BD4DBC1FA5D26668029830D2186DAC86A54,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444954Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:31.266{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444953Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:31.266{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683B1402213D8D698B1B5D563D978A31,SHA256=88AEB0B2439F4DAFA65861395C125DB2745CED8ACD9B7FB8D661A85923D25035falsefalse - insufficient disk space
23542300x80000000000000001527786Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:31.743{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=266DF8F00E53806C3BA79BC280A29AD1,SHA256=C93F9F93C2D8D36C3066F94CE7FFD7A4A7C93B5166E55D623624439241ED0340,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527785Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:31.604{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527784Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:31.604{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527783Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:31.053{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD74EB9690291A5CB0A038F199B64B7,SHA256=12F465E0BB5BC8452563B31294065F0A5DF7AA0172BF8AE8BFB6B5598BD295EE,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444981Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.269{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444980Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.269{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723B483CAC2F8D9149C593084D3890A7,SHA256=B78EF295A2612860344F9E2B39ACE5B51C86E30D1C7B0E6265C64C2B9B011929falsefalse - insufficient disk space
10341000x80000000000000001527791Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.604{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527790Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.604{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x80000000000000001527789Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:25.368{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local1060-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap
354300x80000000000000001527788Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:25.368{761B69BB-819C-607D-2400-00000000BA01}2752C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-982.attackrange.local1060-true0:0:0:0:0:0:0:1win-dc-982.attackrange.local389ldap
23542300x80000000000000001527787Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.063{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A68BBF05222F60F1B8C33C4C0106FF,SHA256=97BB15F1A2B1D2B2564487F4BAC6B03013C32D1A0DD062701AAA447595E9DFDB,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444979Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.215{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725
23542300x80000000000000002444978Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.215{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DC2211BB7BFD06BC99091EAD3A68B644,SHA256=411EA54BEE27BCB359F3A91A243B27DCFC24E1838B8B2B48F65ECA574307BB37falsefalse - insufficient disk space
534500x80000000000000002444977Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.215{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exe
11241100x80000000000000002444976Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.215{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725
23542300x80000000000000002444975Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.215{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DC2211BB7BFD06BC99091EAD3A68B644,SHA256=411EA54BEE27BCB359F3A91A243B27DCFC24E1838B8B2B48F65ECA574307BB37falsefalse - insufficient disk space
11241100x80000000000000002444974Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.215{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Application2021-04-19 13:19:52.725
23542300x80000000000000002444973Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.215{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C1CCC32215D012AE254437015EC3985F,SHA256=B2C320FB630EE577985C4D2C238AE3A6D1221CA44942898896F1BEC19E816A7Afalsefalse - insufficient disk space
12241200x80000000000000002444972Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKCR
13241300x80000000000000002444971Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\ActionsBinary Data
13241300x80000000000000002444970Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\TriggersBinary Data
13241300x80000000000000002444969Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\URI\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask
13241300x80000000000000002444968Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Description$(@%%systemroot%%\system32\sppc.dll,-201)
13241300x80000000000000002444967Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Author$(@%%systemroot%%\system32\sppc.dll,-200)
13241300x80000000000000002444966Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Source$(@%%systemroot%%\system32\sppc.dll,-200)
13241300x80000000000000002444965Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\SecurityDescriptorD:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)
13241300x80000000000000002444964Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\Version1.0
13241300x80000000000000002444963Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\SchemaDWORD (0x00010005)
13241300x80000000000000002444962Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6680E717-711A-4466-96EB-E81A2DACFBEB}\HashBinary Data
13241300x80000000000000002444961Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-SetValue2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\IndexDWORD (0x00000003)
12241200x80000000000000002444960Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-CreateKey2021-04-22 16:43:32.200{21761711-83AE-607D-1600-00000000BB01}1108C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6680E717-711A-4466-96EB-E81A2DACFBEB}
10341000x80000000000000002444959Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.200{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cea|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000002444958Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.200{21761711-83AD-607D-0B00-00000000BB01}628668C:\Windows\system32\lsass.exe{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
734700x80000000000000002444957Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.200{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid
734700x80000000000000002444956Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.200{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\taskschd.dll10.0.14393.4169 (rs1_release.210107-1130)Task Scheduler COM APIMicrosoft® Windows® Operating SystemMicrosoft Corporationtaskschd.dllMD5=A0180EEE2521DC7847458E0BDC673DBD,SHA256=987A1EA9876E266B68CBB962BECF4BDD8794765DED0ED15B55490A30ED00DD2BtrueMicrosoft WindowsValid
734700x80000000000000002444955Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.200{21761711-A792-6081-8084-00000000BB01}2128C:\Windows\System32\sppsvc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid
11241100x80000000000000002444989Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.302{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444988Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.302{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187258BD04EB38D6604118E8788739D7,SHA256=6F590FFE5AC4EB9271D88717D4636911A3417131914C9D4EE7CF6F6CA85A0EAEfalsefalse - insufficient disk space
10341000x80000000000000001527794Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:33.605{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527793Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:33.605{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527792Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:33.070{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0564832A40428BA21288469E20810A,SHA256=CF79BFCD8FEDF55CEFCA92D10A73F6F6F443AF96AB32190438A56590D124FE0B,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444987Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.218{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002444986Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.218{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CA8519C74A6BC5050886831336CC55F,SHA256=2CA15354910F1BE38B90E620FE48B93D32EB3A764428C977944920BF5F38C345falsefalse - insufficient disk space
11241100x80000000000000002444985Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.218{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227
23542300x80000000000000002444984Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.218{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B0D7A395FD094065BE8DE801E4F1E1AB,SHA256=6DD3D45764BE980D32D4DA048E929357AA5BE08A438ADAE359D3FB55CE72C93Ffalsefalse - insufficient disk space
11241100x80000000000000002444983Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.218{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-04-19 13:19:53.227
23542300x80000000000000002444982Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:33.218{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EBAC73DE9072EE017282D3B992793D06,SHA256=18F3B2D824EED167FB312E003C16029B1476C0539A9F6EE6C2603D0ED9E3D133falsefalse - insufficient disk space
11241100x80000000000000002444991Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:34.374{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444990Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:34.374{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0974602B0A4C7C799493B9E473CA0CB6,SHA256=B09C522DF6391A1CF7C2AFF3D1D8C757EA498166BBC0661BD06BC7C1CE8246A8falsefalse - insufficient disk space
10341000x80000000000000001527798Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:34.606{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527797Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:34.606{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527796Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:34.227{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DC1F24C3F8E2C92D3EF6A34B0CF7302,SHA256=DCD56F609759271A1EBD3ECB65689FE92C39687F236188C1D6CD767DA6733DD7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527795Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:34.077{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB45CC28EC2A0AA0322593AFCCCAF4CB,SHA256=7730E0E5007972586064D7973C96D7A2083C7CEA9AAE9E158F88ED60B030E650,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444994Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:35.476{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444993Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:35.476{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA29FCC3F4411E5BE73A764CB43E93A,SHA256=905CC4CDE6A3B17E1C91DF622A2BF0C566E315B075981618F34E26B4802EC7A1falsefalse - insufficient disk space
10341000x80000000000000001527802Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:35.607{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527801Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:35.607{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x80000000000000001527800Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:29.610{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1061-false10.0.1.12-8000-
23542300x80000000000000001527799Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:35.084{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BEB260EA43881E8C99E814D5C6D4CF,SHA256=2F742B16A932EED291BA5B89D3A6CE4B5152D66DFC9F650D660820C3D74A2BCF,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000002444992Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:32.563{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49272-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
11241100x80000000000000002444996Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:36.510{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444995Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:36.510{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64CD4DBE3FCD0113BC3575C663AC1426,SHA256=65BF3B7C7496D9D6E8608DF52001AE6965297C5D7B3FF11A4DBAE9AB8A873423falsefalse - insufficient disk space
10341000x80000000000000001527806Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:36.649{761B69BB-818A-607D-0B00-00000000BA01}632760C:\Windows\system32\lsass.exe{761B69BB-8188-607D-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e
10341000x80000000000000001527805Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:36.607{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527804Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:36.607{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527803Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:36.093{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9786C63EACA0196EF3BBE7FD581CC8D8,SHA256=95249CBA55CCFECC5BC982E154B5F2DCD2E4805A23CC164B495B15C19436C508,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002444998Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:37.512{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444997Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:37.512{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837F35EA3DDE2201978667B1F4B62C09,SHA256=63DBE206A4CBC582264554609576E6A0935D81C992EF6DDC502C2C41F4E28C65falsefalse - insufficient disk space
354300x80000000000000001527814Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.144{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-982.attackrange.local1063-false10.0.1.14win-dc-982.attackrange.local389ldap
354300x80000000000000001527813Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.144{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1063-false10.0.1.14win-dc-982.attackrange.local389ldap
354300x80000000000000001527812Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.137{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1062-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap
354300x80000000000000001527811Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.137{761B69BB-818C-607D-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1062-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap
10341000x80000000000000001527810Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:37.608{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527809Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:37.608{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527808Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:37.565{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6CE9C22D8FACD83CE58164575070392,SHA256=F61B696EEEA3408527705B2E2A93C386797A58456E00BDC2C2FEC3B84799C910,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527807Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:37.103{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C4CCCFC1B7FBAC9B1A2EEC4A85938E,SHA256=7D92CCAEAC772DF3EF220C0EBA18E2189CF6D2094729BDD188C6C6135B536E36,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002445000Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:38.515{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002444999Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:38.515{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A94D11A6CCC5EEFF138AC5FF7747DDD,SHA256=E2E83C79C3D01ED3A51250C1990EA532604D284A5DCE3320F8AA93387157370Ffalsefalse - insufficient disk space
10341000x80000000000000001527819Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:38.609{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527818Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:38.609{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x80000000000000001527817Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.241{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1064-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds
354300x80000000000000001527816Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.241{761B69BB-8188-607D-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1064-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local445microsoft-ds
23542300x80000000000000001527815Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:38.111{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71E3391F2027B5AFF62E30F101E49CB,SHA256=42CAF887632273C3E19CD0CF3F614F7F3021C2D6EB9510B479D0F880EE78E2FF,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002445002Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:39.517{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445001Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:39.517{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF9CDC20198BCF7BDE53D4F66F3EBD1,SHA256=989531871B3776DC359F57F51904DF12F5957A16B82099A868DBB5FA8EEDD0CCfalsefalse - insufficient disk space
10341000x80000000000000001527824Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:39.610{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527823Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:39.610{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527822Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:39.241{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11CB86A88C27D95AE98CE779FDA498FC,SHA256=8E3100304B60134F4D8AD62B47F10B0649F25BE1C2C29871A8ADFE87110EEFDE,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000001527821Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:32.558{761B69BB-9CAE-6081-C581-00000000BA01}6552C:\Windows\SysWOW64\SearchProtocolHost.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1065-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https
23542300x80000000000000001527820Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:39.116{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61384D2D1C3060CBE7C2D5981E8F55AA,SHA256=FEC3514F0FF44157F4D573CCDE0D85783C4590731EFF8B3F71256DD15034FA55,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002445009Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:40.519{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445008Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:40.519{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67C3CA95569777FDDD2D4C385723E70,SHA256=0CF01537E7BF17EEE8D7897FC634B9CAFDDAECF32A557148EDD162A7470A5A45falsefalse - insufficient disk space
10341000x80000000000000001527827Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:40.611{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527826Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:40.611{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527825Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:40.121{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208EC98EA851BE1482A182F51F1FD937,SHA256=A2B095638C3028D0555E08DDF03C66C4B2DF2864BCDB2FCABE382C20D1CCF662,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000002445007Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:38.577{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49273-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
11241100x80000000000000002445006Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:40.219{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002445005Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:40.219{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CFA32069A4C20F4DFD3A2BF11D85A26,SHA256=ACB30DAD129B687AC37D2791CA02390C7DC12CA606A84CFE48B4B68886ABE8B2falsefalse - insufficient disk space
11241100x80000000000000002445004Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:40.219{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002445003Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:40.219{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B33D183D5AF43055843EABAC856BD2F9,SHA256=1AB5098FA83DC32D58401CDE06CB1AC1421D1716687DDCF5499BCF0163F37B4Bfalsefalse - insufficient disk space
11241100x80000000000000002445013Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:41.575{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445012Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:41.575{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C6B2BA9014B694D5DFBD83D365D1795,SHA256=2AED308B88E09D052021792AFCE71E49AFE2CE63411D05358995F97F59C54D10falsefalse - insufficient disk space
10341000x80000000000000001527831Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:41.612{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527830Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:41.612{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527829Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:41.140{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66872997587DFE97A89084741B4177A2,SHA256=2766134F49538426A7926EE839A40BA419C451EBF3B8C57BB30B0DB4BFD71E45,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002445011Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:41.306{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-04-19 13:22:46.774
23542300x80000000000000002445010Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:41.306{21761711-842A-607D-9700-00000000BB01}3716NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021Efalsefalse - insufficient disk space
354300x80000000000000001527828Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:34.747{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1066-false10.0.1.12-8000-
11241100x80000000000000002445017Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:42.609{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445016Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:42.609{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71275C44E40E5E592E2A5DF975763CAD,SHA256=EE76E4A6C052C155D012456B4DBC20022C02FF4CD3DD1447EB2A6D68A42FF8FFfalsefalse - insufficient disk space
10341000x80000000000000001527834Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:42.613{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527833Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:42.613{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527832Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:42.144{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA7AC7198D63149BEAE3742CA2CE989,SHA256=09FF3956BB71AE2E63B7256DFE153FF5E8C218457F201DDA6250449D40682463,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002445015Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:42.293{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002445014Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:42.293{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CFA32069A4C20F4DFD3A2BF11D85A26,SHA256=ACB30DAD129B687AC37D2791CA02390C7DC12CA606A84CFE48B4B68886ABE8B2falsefalse - insufficient disk space
11241100x80000000000000002445020Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:43.611{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445019Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:43.611{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E93EEADB4DF0814AE61B664EEC91E9,SHA256=2A7A576B516513BE574B05358E06D2133F259749849B75661CCD34F3F84F2DD3falsefalse - insufficient disk space
10341000x80000000000000001527837Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:43.614{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527836Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:43.614{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527835Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:43.151{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020A668BBED854D0C9520D712D7E823B,SHA256=06B3C8FD4FE364829481A414DAC3F09A3254E0120AAB99329CD91534497CE46E,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000002445018Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:40.767{21761711-842A-607D-9700-00000000BB01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49274-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089-
11241100x80000000000000002445022Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:44.614{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445021Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:44.614{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C7343F0241B31A1555538F9E1FF678,SHA256=1A07313989E7BE7C7C162B07C60B49047B0B9FEB7927B0680A45B0E25D91076Dfalsefalse - insufficient disk space
10341000x80000000000000001527840Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:44.615{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527839Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:44.615{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527838Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:44.154{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDC1BE94198383F2A83B0EF33417305,SHA256=D3E80596F6072A20303A60B7CAD97CB224DEF1CF0EC61C8FD1883275DCE4AE5B,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002445027Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:45.632{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445026Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:45.632{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526A6615FCD8D793CD532B5906420A2E,SHA256=8715E679F130305B1BF3052C8F1AEC479F7C686973FA7E708C2309E1E1A731A8falsefalse - insufficient disk space
10341000x80000000000000001527843Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:45.615{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527842Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:45.615{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527841Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:45.166{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73A252CF49AD0ABEF978EC133E340442,SHA256=CADF92AEB5466CFB4628A85321557919F3A1D0A9F069C34F8C9AAB29AE73BFB7,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000002445025Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:43.590{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49275-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
11241100x80000000000000002445024Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:45.115{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002445023Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:45.115{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CE5A96730B6FCF66283504A89BABC9A,SHA256=7AFFA07F0A942AEE2D232544938F73CD94D154E99BCAA8FF9A05A1E78FD9B11Cfalsefalse - insufficient disk space
11241100x80000000000000002445029Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:46.634{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445028Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:46.634{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=464E8F7707F124E6B8BA94707C8593D0,SHA256=2F4E95BF31EFE0B3811E8820E46E3B141CCA97351C0677176A1776F075F3F517falsefalse - insufficient disk space
10341000x80000000000000001527849Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:46.616{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527848Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:46.616{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x80000000000000001527847Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:40.631{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1067-false10.0.1.12-8000-
23542300x80000000000000001527846Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:46.171{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD61FB7B763E19CCB9BDCDA346E145CF,SHA256=4F9C753A094BFF57ABB9B90A22240059A38B0782A2E39BB995184BA99EBF826F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527845Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:46.059{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56CD9ADC9FCDCEC73E688265C5F6668D,SHA256=91CBA28BCE9EA646E2EFD0515888A4E0439296E28861213EA4AA3EA1B2154CA8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527844Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:46.058{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE4629168F2344A653A9B2603BD0ED72,SHA256=62A4CB7D13C6AAA745A7ACBA3718AD747157088FB2549B2D2477E6EDAE03BDC9,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002445031Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:47.773{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445030Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:47.773{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEFAF5DCD6CAD20FDADF87B0C15B099C,SHA256=273F76AD3C878832115FBF141BA81E58D97CDC69CA8EA44B21D98BD525057557falsefalse - insufficient disk space
10341000x80000000000000001527852Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.617{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527851Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.617{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527850Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.174{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E92A42FEB55DA65272508ECE9996BE8,SHA256=C2C199B3E38CDE17DCE09E28BB029B96FBCE9A3759F7B838783D08F220148190,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002445033Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:48.973{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445032Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:48.973{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C35A994B5BAB5E8EAB7530A523C367,SHA256=0252FCABB0223C182E120E5C6BC88A326CE5262246008766440BD93CD2C0DDEFfalsefalse - insufficient disk space
10341000x80000000000000001527856Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:48.618{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527855Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:48.618{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527854Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:48.188{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56CD9ADC9FCDCEC73E688265C5F6668D,SHA256=91CBA28BCE9EA646E2EFD0515888A4E0439296E28861213EA4AA3EA1B2154CA8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527853Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:48.178{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73B7EB986E8E4C4E81838C6210A7731,SHA256=FBCC8EFA8355240DD611AD420DECF4598B823BA4832BF6B27360AED808EEA7EA,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002445035Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:49.994{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445034Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:49.994{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB8A05FD5300C98FE0BBA9F64B146F5,SHA256=13883DC8B7CC32843520B6F988471ED94629EAB893464A8B944410BB2DED6CBFfalsefalse - insufficient disk space
10341000x80000000000000001527861Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:49.619{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527860Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:49.619{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527859Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:49.610{761B69BB-8200-607D-A100-00000000BA01}4148NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=E21F5C2105D3482548EE1DCEAA8E3F18,SHA256=A62C5AB5FD16B72845400EE5338C4D5D0AC27884510730AA80A58BEA4A9B021E,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000001527858Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:42.556{761B69BB-9C8D-6081-C081-00000000BA01}4856C:\Users\Administrator\Desktop\beacon_sph.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-982.attackrange.local1068-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https
23542300x80000000000000001527857Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:49.183{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66286E5422C097D4015FBB3D6D068D4,SHA256=5BDA29A6E718AA29072E5790F878AC0C561473912E22A58C44E173193DDD019D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527865Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:50.620{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527864Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:50.620{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527863Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:50.603{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10104C07F8E1F6DF8A8B788CC71D6C27,SHA256=EF4D230A20C36E6A68197ECD27810EE7E11321187A318FFE82D961AA9D6203F7,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527862Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:50.188{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA607D56FCC9FFC6D26575D868929162,SHA256=4FD401BEEBC77A5916C595AA21F418B511A7802CDDA0C01DE2486AA1E5FBE649,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527871Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:51.621{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527870Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:51.621{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
13241300x80000000000000001527869Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 16:43:51.615{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML
13241300x80000000000000001527868Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 16:43:51.612{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\59F158BB-F4A4-42E1-B81F-FD8310C406A3\Config SourceDWORD (0x00000001)
13241300x80000000000000001527867Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-SetValue2021-04-22 16:43:51.612{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\59F158BB-F4A4-42E1-B81F-FD8310C406A3\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_59F158BB-F4A4-42E1-B81F-FD8310C406A3.XML
23542300x80000000000000001527866Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:51.194{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6F853674253F9DA24B27328524E56B,SHA256=43952C88F675CECC958D80010BFADFE708CD7E41688F7C2DF38A0796EFACDC27,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000002445042Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:49.587{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49276-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
11241100x80000000000000002445041Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:51.144{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002445040Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:51.144{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F5F1B99F5038F1C6185A112B9C463C8,SHA256=37C593C2BC28505D301C258E61FDE5D1A880CA1370A88DC52D41A988E57F47A3falsefalse - insufficient disk space
11241100x80000000000000002445039Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:51.144{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002445038Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:51.144{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55D44346392B9EF31AAEB18A5F50022C,SHA256=03D0D2D1BF5B190BBA6140E89D135419B2E801232CE09C49B47A51F73DFE3DB3falsefalse - insufficient disk space
11241100x80000000000000002445037Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:51.012{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445036Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:51.012{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82AC06DB33B624A6AC55611A3FF21197,SHA256=00A92FE552D728934E0BD78A20AF453477A724A369D4487ABA5F76EC60769DB5falsefalse - insufficient disk space
354300x80000000000000001527890Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.209{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1072-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap
354300x80000000000000001527889Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.209{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1072-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap
354300x80000000000000001527888Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.194{761B69BB-818C-607D-0D00-00000000BA01}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1071-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap
354300x80000000000000001527887Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.194{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1071-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local135epmap
23542300x80000000000000001527886Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.641{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DBE73F17CC6054C15AC2A85DBDA995D,SHA256=F04A57FFADC68083B3C5F78B35C915CFAA7DF24E90DC463A20719C22533F7AE5,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527885Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.621{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527884Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.621{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x80000000000000001527883Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:45.767{761B69BB-8207-607D-CF00-00000000BA01}4116C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1070-false10.0.1.12-8000-
354300x80000000000000001527882Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:45.188{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-982.attackrange.local1069-false10.0.1.12-8089-
23542300x80000000000000001527881Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.201{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D41DC566C59C121F25CA7AD416F4478,SHA256=B6C738DE166FE6C5DF647C15768C45437550240989E15DBBC3E64A00B334D943,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002445044Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:52.031{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445043Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:52.031{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6AE817F5D57CF84C46518CBD296701,SHA256=A006F2D96C19640D05C347902F4920A465D7A71E54772F30458A9C729F42E1A0falsefalse - insufficient disk space
10341000x80000000000000001527880Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.096{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A7C8-6081-1383-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527879Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.094{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527878Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.094{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527877Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.094{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527876Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.094{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527875Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.094{761B69BB-818A-607D-0500-00000000BA01}408412C:\Windows\system32\csrss.exe{761B69BB-A7C8-6081-1383-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000001527874Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.093{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A7C8-6081-1383-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000001527873Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.093{761B69BB-A7C8-6081-1383-00000000BA01}6736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x80000000000000001527872Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:52.018{761B69BB-818C-607D-1100-00000000BA01}92NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=351B455F32DF17FB35BE8B1B944E4A80,SHA256=DD8F4787A4A5D3CB53BCF9718423476A106600B552E6E323AACF12EB48CA33FB,IMPHASH=00000000000000000000000000000000falsetrue
10341000x80000000000000001527895Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:53.622{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527894Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:53.622{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
354300x80000000000000001527893Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.214{761B69BB-818A-607D-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1073-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap
354300x80000000000000001527892Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:47.214{761B69BB-819C-607D-2B00-00000000BA01}2972C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local1073-truefe80:0:0:0:118f:34ac:1322:c17ewin-dc-982.attackrange.local389ldap
23542300x80000000000000001527891Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:53.211{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955329E8180D40A5C4674B3D04553F1A,SHA256=D78D43B4993F7626359E17CDC1D902E2BA6089287DCC0E884074C5DC278A9636,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002445046Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:53.033{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445045Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:53.033{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=902B4A4F471F31CE7EA90FF238D21CE6,SHA256=EE348AC6BAB18CA29E89E6837B7D580756AFA1BAB65F5205CC0775D3C48F5EB9falsefalse - insufficient disk space
11241100x80000000000000002445048Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:54.184{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445047Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:54.184{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B48F1582F9B6BAEDA1E11051C864E79,SHA256=0AF60AD171E5BE7772E747FD599004DA750E9997C29DA7560672D5E47DFED608falsefalse - insufficient disk space
10341000x80000000000000001527898Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:54.622{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527897Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:54.622{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527896Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:54.214{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0493DB67496695393D2D45F8BB48F8,SHA256=4968FB9C51C9907655A3813D04DE44B408418A6EF6E4381FEE15312A6BA0EB5A,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002445050Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:55.238{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445049Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:55.238{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E98B7D9BF535646FB4AB8917E83619,SHA256=4F0826B4FAF3F093A52CD4C7F10C846E5EEFC1D08AAC29051001632081D1FE6Dfalsefalse - insufficient disk space
10341000x80000000000000001527901Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:55.622{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527900Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:55.622{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527899Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:55.224{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3338B07F7B42B00CC4F72DAAFBC5C4,SHA256=E129D1024BA06B7AD265496DFE0C4C473077364BDF835E039980B1C07288E1D1,IMPHASH=00000000000000000000000000000000falsetrue
354300x80000000000000002445057Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:54.615{21761711-8431-607D-C500-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-5.attackrange.local49277-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000-
11241100x80000000000000002445056Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:56.241{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-04-19 13:21:25.072
23542300x80000000000000002445055Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:56.241{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFE4054EF920C1BCFC0098E7839B89E,SHA256=7C8ED9FAD83B9A667F1B75DA14AB6DCE70DD4C1964382AD2130455578513A381falsefalse - insufficient disk space
10341000x80000000000000001527922Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.893{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A7CC-6081-1583-00000000BA01}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527921Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.891{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527920Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.891{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527919Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.891{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527918Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.891{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527917Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.890{761B69BB-818A-607D-0500-00000000BA01}408424C:\Windows\system32\csrss.exe{761B69BB-A7CC-6081-1583-00000000BA01}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000001527916Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.890{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A7CC-6081-1583-00000000BA01}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000001527915Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.890{761B69BB-A7CC-6081-1583-00000000BA01}5184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x80000000000000001527914Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.623{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-647F-00000000BA01}6840C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527913Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.623{761B69BB-818C-607D-0C00-00000000BA01}844972C:\Windows\system32\svchost.exe{761B69BB-88AA-6081-657F-00000000BA01}6112C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+3479f|C:\Windows\SYSTEM32\psmserviceexthost.dll+32739|C:\Windows\SYSTEM32\psmserviceexthost.dll+22de9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ee24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527912Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.358{761B69BB-A7CC-6081-1483-00000000BA01}5412976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
23542300x80000000000000001527911Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.235{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861CB9B216AD620C1E137572F392D530,SHA256=4E625CD4785D82DCBB89D36B8AD71F39CC80AFA65EC910CBBD3283DF90F1974D,IMPHASH=00000000000000000000000000000000falsetrue
11241100x80000000000000002445054Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:56.156{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002445053Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:56.156{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=760023261B3A7DE454796B0CDA52E493,SHA256=D3B6ECF2D63BFEE75B3840C5AD9A18BCCA54137465C9C094AFE3A660F4E1B830falsefalse - insufficient disk space
11241100x80000000000000002445052Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:56.156{21761711-8437-607D-CE00-00000000BB01}2032C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-04-19 13:20:22.616
23542300x80000000000000002445051Microsoft-Windows-Sysmon/Operationalwin-host-5.attackrange.local-2021-04-22 16:43:56.156{21761711-8437-607D-CE00-00000000BB01}2032NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F5F1B99F5038F1C6185A112B9C463C8,SHA256=37C593C2BC28505D301C258E61FDE5D1A880CA1370A88DC52D41A988E57F47A3falsefalse - insufficient disk space
10341000x80000000000000001527910Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.214{761B69BB-8200-607D-A500-00000000BA01}43443804C:\Windows\system32\conhost.exe{761B69BB-A7CC-6081-1483-00000000BA01}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527909Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.213{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527908Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.212{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527907Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.212{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527906Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.212{761B69BB-818C-607D-0C00-00000000BA01}8445192C:\Windows\system32\svchost.exe{761B69BB-819C-607D-2700-00000000BA01}2816C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
10341000x80000000000000001527905Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.212{761B69BB-818A-607D-0500-00000000BA01}4083000C:\Windows\system32\csrss.exe{761B69BB-A7CC-6081-1483-00000000BA01}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f
10341000x80000000000000001527904Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.212{761B69BB-8200-607D-A100-00000000BA01}41483464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{761B69BB-A7CC-6081-1483-00000000BA01}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781
154100x80000000000000001527903Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.211{761B69BB-A7CC-6081-1483-00000000BA01}5412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{761B69BB-818A-607D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{761B69BB-8200-607D-A100-00000000BA01}4148C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x80000000000000001527902Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:56.208{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D8F9D0AA268E0BEBB8F4C6119DAC8BA,SHA256=B6DAA730AE8F5E54589D9263D50FC259A099DA39CBDE5E623007DF841DE3587B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x80000000000000001527923Microsoft-Windows-Sysmon/Operationalwin-dc-982.attackrange.local-2021-04-22 16:43:57.219{761B69BB-820D-607D-D800-00000000BA01}1064NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59AA56377B37B478D46EEA729A2C16F4,SHA256=505279DB4CA9B57DB58E7461E5DEB8EA3AD4D54F1747C0D7F07F461A7F32F445,IMPHASH=00000000000000000000000000000000falsetrue